Pilz Book
Pilz Book
Pilz Book
Orientation Guide!
Contents
2 Product liability
4 Safeguards
6 Safe communication
7 Safe motion
Preface
Chapter 1 Contents
1 Preface
Chapter 1 1.1 Contents Preface Authors Page 1-3 1-5
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
1-1
Chapter 1 Preface
1 Preface
The world is constantly changing and the tasks and requirements in mechanical engineering are changing with it. Our Safety Compendium first appeared in 2008. The aim was to provide our customers with a handy orientation guide on the subject of functional safety and standards. The wide range of feedback we received shows that we succeeded. Since then there have been further changes: More efficient production and automation concepts demand ever more intelligent safety solutions. Or may only be made possible thanks to innovative safety technology. And from 2012, the new Machinery Directive applies without restrictions. This presents machine builders and users with new challenges, which need to be overcome. Enough reasons, then, to revise our Safety Compendium and add some relevant points. So the issues of mechanics versus electronics and dynamic versus inflexible control and safety concepts have now been added to the Safety Compendium. For the trend over recent years to replace mechanics with electronics in safety technology continues unabated. Another trend is also emerging: The more dynamic the processes, the higher the demand to enable controlled access to the process, without comprising on performance and productivity. Thats why flexible and dynamic concepts are increasingly in demand in safety technology in future, a safe shutdown will only be a last resort in exceptional, justified circumstances. Against a background of rising demands on availability and productivity, integrated control and safety concepts are becoming increasingly significant. Pilz has already reacted to current trends and set new standards with a range of new products and solutions, such as the automation system PSS4000 for safety and standard, the first safe three-dimensional camera system SafetyEYE, the safety gate system PSENsgate or safe motion. One thing were quite sure of: Customer proximity and innovation belong together and are mutually dependent. Thats why the companys products are often developed in conjunction with or under contract from customers. So the process of idea development and innovation is a constant, mutually beneficial exchange. Establishing trends in the field of products and solutions is only part of our response to the new requirements, however. Our services portfolio helps machine builders and users get to grips with the large number of standards and how they are implemented. Plus we lighten the load for companies, who can delegate their responsibility for safety issues. The huge demand in this area has confirmed that we are on the right track with our range of services relating to risk assessment, conformity assessment and CE certification. Pilz also operates an independent, accredited inspection body in accordance with the requirements of DIN EN ISO/ IEC 17020, as accredited by the German Accreditation Body (DAkkS). This guarantees objectivity, high machine availability and the highest possible safety for staff. In the future, the main purpose of safety technology will still be to make automated processes safer for man and the environment. More than ever, this is linked with the demand for production cycles to be designed to run more smoothly and efficiently. So safety technology is developing into an overall discipline that encompasses product plus safety and permanently shapes the entire of plant and machine lifecycle.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
1-3
Chapter 1 Preface
1 Preface
The Safety Compendium is intended to help you face existing challenges and meet future requirements, while also serving as an informative reference. As I said earlier, ideas and innovations can only emerge in a process of constant exchange and as the Compendium too is the result of lively discourse between editors and readers, we really welcome your feedback. After all, a constructive exchange can make the Compendium even more valuable. So in this spirit I hope you find the book informative and insightful.
1-4
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 1 Preface
1.1 Authors
Christian Bittner is acting team leader of the Consulting Services Group within Pilz GmbH & Co. KG. He is in direct contact with customers: His duties include performing risk assessments, producing safety concepts, CE certification and other safety services. On behalf of Pilz he is also head of the DAkkS-accredited inspection body.
Holger Bode is responsible for the international co-ordination of Pilz Services within the Pilz International Services Group. Part of his role is to create specifications for internationally harmonised services such as risk assessment, safety concepts, CE marking and inspection of safeguards. He is also a member of Pilzs internal standards committee.
Harald Frster is head of the Customer Support department and a member of the management team at Pilz GmbH & Co. KG. He is an expert in the field of safety and automation technology, from development and design through to its practical application for the customer.
Roland Gaiser is head of the Actuator Systems division in development at Pilz GmbH & Co. KG. He also lectures on system development and simulation at the Faculty of Mechatronics and Electrical Engineering at Esslingen University. He has extensive knowledge in the field of basic development of actuator systems.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
1-5
Chapter 1 Preface
1.1 Authors
Andreas Hahn is head of the Networks, Control Systems and Actuator Technology division in product management at Pilz GmbH & Co. KG. He is also involved in Pilzs internal standards committee, which deals with the interpretation of standards. He has many years experience in the design of automation solutions.
Jrgen Hasel is a trainer and consultant at Festo Didactic GmbH & Co. KG His seminars focus on pneumatics, electropneumatics, valve terminals and safety technology. Earlier in his career he worked in the development department at Festo AG. He has been working closely with the training department of Pilz GmbH & Co. KG for some years. At Pilz he teaches the CMSE course (Certified Machinery Safety Expert) certified by TV Nord, as part of product-neutral training.
Prof. Dr. Thomas Klindt is a partner at the international law firm NOERR and is also honorary professor for Product and Technology Law at the University of Kassel. He is a member of the chambers internal product safety & product liability practice group, which oversees national and international product liability processes, product recalls and compensation claims.
Thomas Kramer-Wolf is the standards specialist at Pilz GmbH & Co. KG. He is a member of various standards committees and combines theoretical work with practical interpretation of standards, also as part of Pilzs internal standards committee.
1-6
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 1 Preface
1.1 Authors
Dr. Alfred Neudrfer is a lecturer in the Faculty of Mechanical Engineering at Darmstadt University of Technology. He is also a guest professor in safety technology at Nagaoka University of Technology in Japan. The subject of many of his lectures, seminars and technical papers is the design of safetyrelated products.
Andreas Schott is responsible for the Training and Education division within Pilz GmbH & Co. KG. As team leader, he works with his team to produce educational and practically relevant training concepts for both product-neutral and product-specific courses and seminars. His many years of experience as a state-approved electrical engineer and software programmer have familiarised him with the practical requirements of customers when it comes to safety technology.
Eszter Fazakas, LL.M. is a lawyer with the international law firm NOERR. She is also a member of the chambers internal product safety & product liability practice group, which oversees national and international product liability processes, product recalls and compensation claims.
Gerd Wemmer works as an application engineer in Customer Support at Pilz GmbH & Co. KG. He is responsible for consultancy, project engineering and the preparation of safety concepts for customers, from machine manufacturers to end users. He has many years practical experience in safety technology.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
1-7
Chapter 1 Preface
1.1 Authors
Matthias Wimmer works in Customer Support at Pilz GmbH & Co. KG. He presents seminars on various subjects, including: New functional safety standards, New Machinery Directive and Safeguards. As an application engineer he produces risk assessments and safety concepts for machinery. He is also a member of the standards working group ISO/TC 199/WG 8, Safe control systems.
Michael Wustlich is team leader of the Software, Application and Tests division at Pilz GmbH & Co. KG. His duties include the development of user-level safety-related software in the form of standardised, certified products. Together with his team he is responsible for the specification and design of systematised application tests across all product groups.
1-8
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Product liability
Chapter 2 Contents
2 Product liability
Chapter 2 2.1 2.2 2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.3 2.3.1 2.3.2 2.3.3 2.3 4 2.3.5 2.4 Contents Product liability Terminology Product Liability Act (ProdHaftG) Introduction Product defect Producers and other responsible persons Exclusion of liability Distribution of the burden of proof Special features of the Product Liability Law Liability in tort 823 para. 1 BGB Putting a defective product into circulation Violation of a protected right Violation of duty of care Liability in the event of joint production Hazard prevention measure, warning, retrofit, recall 823 para. 2 in conjunction with the Product Safety Act Page 2-3 2-4 2-5 2-5 2-5 2-7 2-9 2-10 2-10 2-11 2-11 2-11 2-12 2-15 2-18 2-20
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2-1
2 Product liability
For decades, the German Producer Liability Act has recognised the obligations of (industrial) producers in the field of design, production, instruction and after-sales product monitoring. In 1990, this was joined by the German Product Liability Act, which stems from a Product Liability Directive from Brussels. Today, both systems apply in parallel.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2-3
2.1 Terminology
From industrys perspective, German law essentially distinguishes between contractual and statutory liability: Contractual liability is basically only considered between contractual partners, i. e. in genuine supply relationships. This issue is not dealt with any further here, although there are many pitfalls that await in contracts in cross border business, which would make an early, judicial contractual review seem a recommended course of action. We generally talk of the risk from product or producer liability not when it concerns contracts and disputes between suppliers but when it concerns people who assert a claim for damages: Action is brought against a products producer due to personal injury or material damage that his product is supposed to have caused (whether or not this is the case is generally decided after a complex process, usually involving a variety of specialists). The injured party makes a claim against the producer for financial compensation; compensation for non-pecuniary damages may also be involved if there has been damage to health. Statutory liability is again subdivided into two categories: Liability resulting from unlawful acts, known as liability in tort, which is based on an accusation or, in legal terms, on fault. In law, fault is re-described either as accountability or with the expressions of guilt: intent and negligence. If the law allows the mere presence of a certain risk to be enough to justify the producers liability (with no interest in the question as to whether at least negligence was involved), we talk of strict liability. This comes into effect much earlier and is therefore particularly critical for producers. The above-mentioned liability in tort of the producer is regulated in 823 of the German Civil Code (BGB); strict liability for defective products comes from the Product Liability Law (ProdHaftG). Its content can only be applied if the accident or damage occurred in Germany. This is also called the scene of crime principle. If the accident or damage occurs in a different country, the local liability law will apply in most cases. This may be more flexible in a particular case, but may also be stricter than German law. In any case it is an unfamiliar law; in incidents abroad such as these, legal advice must be obtained quickly so that mistakes are not made out of pure ignorance. The section that follows will look first at strict liability from the Product Liability Act and then outline liability in tort. Although in practice both liability principles can usually be applied in parallel, there may be some important differences, particularly with regard to the scope of liability. These will be dealt with separately.
Statutory liability
Liability in tort
Strict liability
823 BGB
2-4
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Strict liability for defective products was introduced universally throughout the whole of the EU through the European Directive 85/374/EEC of 25.06.1985 the EC Product Liability Directive. This directive was implemented in Germany through the Product Liability Act, which has been in force since 01.01.1990.
3 of the Product Liability Act defines a defect as follows: A product is defective when it does not provide the safety which a person is entitled to expect, taking all circumstances into account, including: the presentation of the product, the use to which it could reasonably be expected that the product would be put, the time when the product was put into circulation.
1 of the Product Liability Act states: If, as a result of a product defect, a person is killed, injured or suffers damage to his health, or an item is damaged, the producer of the product shall be liable to pay compensation to the other party for the resulting damage. In the case of material damage, this rule shall only apply if an item other than the defective product is damaged and this item is normally intended for private use or consumption and has been used by the injured party primarily for this purpose.
Under the Product Liability Act, liability shall be accepted for any death, bodily injury, damage to health or material damage caused by the defective product. However, damage to an item used for corporate, business, commercial or professional purposes, cannot be compensated under the Product Liability Act.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2-5
2-6
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Specialist rm
End users
Example: The laser pointer was originally developed for commercial presentation purposes but has since found its way into the daily routine, even being regarded as a toy. Where safety expectation is concerned, the producer must consider the fact that laser beams may potentially be projected into the human eye. As a result, he must guarantee a higher safety standard than was required for the originally intended application. However, when certain products are specifically intended for specialists such as a relay for electrical engineers for example and it is clearly stated that the product may only be installed, approved and used by specialist staff, assembly instructions need not be provided for laypeople. 2.2.2.5 Inherently dangerous products With many so-called inherently dangerous products, their danger lies precisely in their objective and function. For example, poison that fails to kill is defective and not defective when it does kill. 2.2.3 Producers and other responsible persons In accordance with 1 para. 1 of the Product Liability Act, the producer is primarily liable. This is defined as the actual producer of the finished product, component or raw material. The producer usually has a market presence as an AG, GmbH or some other company or corporate form. As a result, the companys liability is limited.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2-7
For example, if electronic monitoring relays are imported from China and a defect causes a fire, the injured party does not have to conduct a product liability action against the Chinese producer but can turn to the EU importer of the relays as the liable party.
2-8
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2-9
The success of a product liability case depends largely on the burden of production and proof. The underlying principle is that the claimant always has to prove all the foundations of his claim. Under the Product Liability Act, the injured party must prove the defect, the causal relationship between the defect and the damage and the damage itself. It is assumed that the defect was present as the product was put into circulation. The producer is excluded from liability if he can prove that the defect did not exist at the time when it was put into circulation.
Claims under the Product Liability Act fall under the statute of limitations after three years. The limitation period begins from the day on which the plaintiff became aware, or should reasonably have become aware, of the damage, the product defect and the identity of the producer. All claims shall end ten years after the product has been put into circulation.
2-10
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Anyone who, intentionally or negligently, unlawfully injures the life, body, health, property or other right of another person shall be liable to pay compensation to the other party for the resulting damage.
This general formulation includes liability for damage caused by a defective product at the purchasers, end users or other third partys. If you transfer the individual conditions of liability into a structure, you will have the following method of assessment: 1. Act or omission of offender = Putting a defective product into circulation 2. Physical injury or damage to health, damage to property 3. Physical injury or damage to health/ damage to property caused by defective product 4. Illegality 5. Fault (slightest negligence is sufficient!) 6. Legal consequence: Compensation 2.3.1 Putting a defective product into circulation Liability in tort, as stated in the Product Liability Act, begins when the defective product is put into circulation. Nonetheless, the point at which the product is put into circulation is not defined in law. At the latest therefore, this can be deemed to be when the product appears on the market, but this is not a condition: It is sufficient for the producer to pass the product to another person outside his sphere of producers.
The product is deemed to have been put into circulation when it has been delivered to a sales company which is legally independent of the producer, has been passed to the forwarder or carrier, or the subproduct has been supplied to the assembler. It has not been put into circulation if the product has merely been offered, held in stock or passed to a materials testing laboratory for test purposes. 2.3.2 Violation of a protected right Compensation can only be claimed under 823 para. 1 of the German Civil Code if the listed protected right body, health, property has been damaged. From a case law perspective, the affected item does not necessarily have to have been harmed or destroyed for damage to property to have occurred. A restriction of its intended use is sufficient. However, in principle compensation must be paid for destroying other items due to the producer goods: By contrast, damage on the actual defective product a built-in motor catches fire and destroys not only the machine but also itself will only be compensated under the most limited conditions. This is the case because otherwise the boundary between the purely contractual liability of the seller and the interesting liability in tort of the producer would become blurred. The details here are very complex and cannot be described within the scope of this Safety Compendium.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2-11
2-12
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2-13
The producer must also take care to ensure that the user of the product understands the operating instructions. So a significant factor initially is whether the user can actually read and which languages he understands. This immediately implies the question about the languages into which a manuals safety guidelines should be translated. It goes without saying that the safety guidelines in an operating manual should always be translated into the language of the country in which the product will be sold. The producer cannot assume that the company responsible for international sales of a product in a particular country will also provide an adequate translation, including that of the relevant warnings, into the respective local language.
The producer must track the application of his product in practice, i.e. by evaluating specialist findings in industry journals, in the media or at specialist events and exhibitions. The product monitoring duty also includes monitoring product development at key competitors.
2-14
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2-15
2.3.4.1 Liability of the producer of the end product The end producer or assembler, who puts the individual product components together, has overall liability for the end product being free from defects. In the area of design, the end producer must ensure that the product part purchased from the supplier fulfils the function for which the end product is intended to be used, in accordance with the material specifications and load capacity parameters. So one of the most important tasks of the end producer is to specify the supplied product correctly and in detail. He must describe this precisely (e.g. material type, material properties, degree of hardness, dimensions, tolerance ranges, weight, manufacturing specifications, load capacity, reject ppm values, test methodologies etc.). Through precise target specifications he must also ensure that the supplied product does not show any safety-related defects (e.g. description of all operating conditions, application areas, operating hours, information regarding peak load, potential for excess mechanical stress, potential for misuse).
In terms of manufacturing, it is the responsibility of the end producer to ensure that the correct material is selected and used in the production of the supplied products. If the end producer does not come to an agreement with the supplier about the way in which the product is to be manufactured, whether through instruction or contractual agreement, he must undertake a type test of the supplied product in accordance with the latest state of scientific and technical knowledge. Example: The material, diameter and thread of screws should be tested for load capacity; bottles of mineral water for pressure resistance; carry handles and mounting brackets for tear strength. These testing obligations can be delegated in part to the supplier; in practice this is often achieved through quality assurance agreements. These will relate to the design and manufacture of the product and will specify certain quality assurance measures and test techniques. In practice, the details are legally very demanding.
2-16
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
For the necessary specifications and inspections or tests, reference is often made to a technical standard. Additional quality assurance measures such as a feasibility study result in the suppliers implementation program. Case law has decided that the end producer can rely on the fact that the supplier builds the components to the contractually agreed quality requirements and inspects the quality himself. By selecting a renowned supply company who will carry out a thorough inspection, secure the necessary certification for the component and conclude quality assurance agreements, the end producer can reduce the level of his own inspection work. An end producer must also warn against any hazards resulting from the danger associated with the supplied product. Whats more, the end producer is obliged to forward the usage instructions or warnings provided by the supplier to the user of the product, and to incorporate these into the overall operating manual that he will produce.
2.3.4.2 Liability of the supplier The supplier is the producer of a subproduct. He must therefore be responsible for any hazards emanating from his subproduct. The design obligations for the supplied parts depend to a certain extent on the purchasers safety expectations. If the supplier knows the intended use of the end product, he must manufacture an appropriate part. He must also consider any known or conceivable misuse of the end product by the end user. In particular he must comply with the prescribed specifications and quality assurance requirements of his client. The supplier is also obliged to warn his client of any hazards associated with the supplied product, which will not be generally known in the end producers own industry. The supplier must provide plain answers to his clients enquiries about specific hazards. However, the supplier may plead ignorance to questions regarding product suitability, provided there is no further duty of disclosure.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2-17
If after-sales product monitoring establishes that a product which has been put into circulation fails to meet safety expectations, the producer should check whether a hazard prevention measure is indicated with regard to the respective product, in order to avoid liability risks. In the context of this Safety Compendium, this includes any measures to prevent, remove or reduce hazards emanating from products that have already been put into circulation (e.g. warnings, new operating instructions, safety uploads, on-site retrofits or factory recalls).
2-18
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2-19
In addition to the broad text of the general clause in 823 para. 1 of the German Civil Code (BGB), liability to pay compensation may also arise in accordance with 823 para. 2:
823 para. 2 of the German Civil Code (BGB) The same liability (meaning liability to pay compensation) is held by anyone who breaks a law that is intended to protect another person.
In this case, the activity that violates the protected right violates a protective law: Protective law means that the respective legal provision is (also) intended to protect the individual through some other body of legislation and therefore, in the event of damage, violation of the law itself already establishes liability for compensation.
2-20
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 3 Contents
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-1
EU government
EU treaties require national implementation of EU documents into national documents writes translate/ adopt Content is identical National laws
Governments of EU states
write/ EU standard National standards DIN/BS/... national standards are linked to national laws
EU directives
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-3
3-4
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.2 CE marking
3.2.1 The basis of machine safety: Machinery Directive and CE mark Generally speaking, all directives in accordance with the new concept (new approach) provide for CE marking. Where a product falls under the scope of several directives which provide for CE marking, the marking indicates that the product is assumed to conform with the provisions of all these directives. 3.2.2 Legal principles The obligation to affix CE marking extends to all products which fall under the scope of directives providing for such marking and which are destined for the single market. CE marking should therefore be affixed to the following products that fall under the scope of a directive: All new products, irrespective of whether they were manufactured in member states or third-party countries Used products imported from third-party countries and second hand products Products that have been substantially modified and fall under the scope of the directives as new products. When the Machinery Directive (MD) was ratified in 1993, the aim was to remove trade barriers and enable a free internal market within Europe. After a two-year transition period, the Machinery Directive has been binding in Europe since 01.01.1995. It describes standardised health and safety requirements for interaction between man and machine and replaces the host of individual state regulations that existed on machinery safety. The new Machinery Directive 2006/42/EC has applied since 29.12.2009. The CE mark stands for Communaut Europenne. A manufacturer uses this mark to document the fact that he has considered all the European internal market directives that are relevant to his product and applied all the appropriate conformity assessment procedures. Products that carry the CE mark may be imported and sold without considering national regulations. Thats why the CE mark is also referred to as the Passport to Europe. The directives may exclude certain products from CE marking. The manufacturer uses the declaration of conformity to confirm that his product meets the requirements of the relevant directive(s). The information that follows is intended to explain CE marking in terms of the Machinery Directive.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-5
3.2 CE marking
3.2.3 CE marking of machinery 3.2.3.1 What is a machine? Safety components (The issue of which components to classify as safety components is very controversial. As yet there is no discernible, uniform trend.) Interchangeable equipment that can modify the basic functions of a machine. There is also a list of exceptions where machinery falls under the scope of the Directive by definition, but for which other statutory provisions generally apply. 3.2.3.2 CE-marking of plant and machinery According to the Machinery Directive, a machine manufacturer is anyone who assembles machines or machine parts of various origins and places them on the market. A manufacturer may be the actual machine builder or where a machine is modified the operator. In the case of assembled machinery, it may be the manufacturer, an assembler, the project manager, an engineering company or the operator himself, who assembles a new installation from various machines, so that the different machine parts constitute a new machine. However, according to the Machinery Directive, only one manufacturer is responsible for the design and manufacture of the machine. This manufacturer or his authorised representative takes responsibility for implementing the administrative procedures for the entire plant. The manufacturer may appoint an authorised representative, who must be established in the EU, to assume responsibility for the necessary procedures for placing the product on the market: Compiling the plants technical documentation Complying with the technical annex Providing operating instructions for the plant Affixing the CE mark in a suitable position on the plant and drawing up a declaration of conformity for the entire plant
For the purposes of the Directive, one definition of a machine is: An assembly of linked parts or components, at least one of which moves, and which are joined together for a specific application. (see Article 2 of the Machinery Directive)
The following are also considered as machines for the purposes of the Machinery Directive: An assembly of machines or complex plants (complex plants include production lines and special purpose machinery made up of several machines)
3-6
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.2 CE marking
Its important that the manufacturer considers the safety aspect early, as the contracts are being formulated or in the components requirement manual. The documentation shall not be compiled solely from the point of view of machine performance. The manufacturer is responsible for the whole of the technical documentation and must determine the part that each of his suppliers is to undertake in this process. 3.2.3.3 Use of machinery in the European Economic Area Irrespective of the place and date of manufacture, all machinery used in the European Economic Area for the first time from 01.01.1995 is subject to the EU Machinery Directive and as such must be CE certified. 3.2.3.4 Assembled machinery On large production lines a machine may often consist of several individual machines assembled together. Even if each of these bears its own CE mark, the overall plant must still undergo a CE certification process. 3.2.3.5 Importing a machine from a country outside the EU When a machine is imported from a third country for use within the EU, that machine must comply with the Machinery Directive when it is made available on the EU market.Anyone who places a machine on the market for the first time within the European Economic Area must have the necessary documentation to establish conformity, or have access to such documentation. This applies whether you are dealing with an old machine or new machinery. 3.2.3.6 Machinery for own use The Machinery Directive also obliges users who manufacture machinery for their own use to comply with the Directive. Although there are no problems in terms of free trade - after all, the machine is not to be traded - the Machinery Directive is applied to guarantee that the safety level of the new machine matches that of other machines available on the market.
CE certification for individual machines and the overall plant. Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2011-11 Pilz GmbH & Co. KG, 2012 3-7
3.2 CE marking
3.2.3.7 Upgrading machinery Essentially, the Machinery Directive describes the requirements for new machinery. However, if a machine is modified to such an extent that new hazards are anticipated, an analysis will need to be carried out to determine whether the upgrade constitutes a significant modification. If this is the case, the measures to be taken will be the same as those for new machinery.
1. Start: Use per intended modication 2. Performance data, intended use modied or modules added or modied?
Yes
No
Yes
Yes 8. Safety concept still appropriate, existing safeguard adequate and fully effective?
Yes
Yes
No
Yes
No
No
Yes 12. Additional movable guard with interlock is appropriate and effective?
No
Yes
Significant modification decision tree, as per Significant modifications to machinery from the chemical industry trade association BG Chemie. 3-8 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2008-11 Pilz GmbH & Co. KG, 2012
3.2 CE marking
3.2.3.8 Seven steps to a CE mark Is the product listed in Annex IV of the Machinery Directive? Annex IV of the Machinery Directive lists machinery that is considered particularly hazardous, such as presses, woodworking machinery, service lifts, etc. In this case, CE marking and the declaration of conformity must meet special requirements. Is the machine a subsystem or partly completed machinery? Manufacturers issue an EC declaration of conformity for functional machines that meet the full scope of Annex I of the Machinery Directive. For subsystems, e.g. robots, which cannot yet meet the full scope of Annex I, the manufacturer issues a manufacturers declaration in accordance with Annex II B. The new Machinery Directive refers to subsystems as partly completed machinery. From the moment the new Machinery Directive becomes valid, all partly completed machinery must be accompanied by a declaration of incorporation in accordance with Annex II. At the same time, the manufacturer must perform a risk assessment and provide assembly instructions in accordance with Annex VI. Effectively the manufacturers declaration or declaration of incorporation bans the subsystem from being put into service, as the machine is incomplete and as such may not be used on its own.
1. Categorise the product
Step 1: Categorise the product The CE marking process starts by categorising the product. The following questions need to be answered: Is the product subject to the Machinery Directive? Here its important to note that with the new Machinery Directive coming into force, some new products have been introduced (e.g. pressure vessels, steam boilers and funicular railways), while others have been omitted (e.g. electrical household and office equipment).
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-9
3.2 CE marking
Is it a safety component? Under the old Machinery Directive, safety components are treated separately and are not awarded a CE mark, although it is necessary to produce a declaration of conformity. Under the new Directive they will be treated as machinery and will therefore be given a CE mark.
Completed machinery
No
Yes
Yes
CE marking by manufacturer
3-10
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.2 CE marking
Step 2: Check the application of additional directives Where machinery is also subject to other EU directives, which cover different aspects but also provide for the affixing of the CE mark, the provisions of these directives must be met before the CE mark is applied. If the machine contains electrical equipment, for example, it will often be subject to the Low Voltage Directive and, possibly, the EMC Directive too. Step 3: Ensure that safety regulations are met It is the responsibility of the machine manufacturer to comply with the essential health and safety requirements in accordance with Annex I of the Machinery Directive. The formulation of these requirements is relatively abstract, but specifics are provided through the EU standards. The EU publishes lists of directives and the related harmonised standards. Application of these standards is voluntary, but compliance does provide presumption of conformity with the regulations. This can substantially reduce the amount of evidence required, and a lot less work is needed to incorporate the risk assessment.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-11
3.2 CE marking
Step 4: Perform the risk assessment
Extract from a risk analysis 3-12 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2008-11 Pilz GmbH & Co. KG, 2012
3.2 CE marking
The manufacturer is obliged to carry out a risk analysis to determine all the hazards associated with his machine. The result of this analysis must then be considered in the design and construction of that machine. The contents and scope of a hazard analysis are not specified in any directive, but EN ISO 12100 describes the general procedure. All relevant hazards must be identified, based on the intended use taking into consideration all the lifecycles once the machine is first made available on the market. All the various groups who come into contact with the machine, such as operating, cleaning or maintenance staff for example, are also considered. The risk is assessed and evaluated for each hazard. Risk-reducing measures are established in accordance with the state of the art and in compliance with the standards. The residual risk is assessed at the same time: If it is too high, additional measures are required. This iterative process is continued until the necessary safety is achieved. Step 5: Compile the technical documentation In accordance with the Machinery Directive, technical documentation specifically comprises: An overall drawing of the machinery and drawings of the control circuits Full, detailed drawings (accompanied by any calculation notes, test results, etc.) required to check the conformity of the machinery with the essential health and safety requirements A list of the essential requirements of this directive, standards and other technical specifications used in the design of the machinery, a description of the protective measures implemented to eliminate hazards presented by the machinery (generally covered by the risk analysis) Technical reports or certificates; reports or test results showing conformity The machines operating instructions A general machine description Declaration of conformity or declaration of incorporation plus the assembly instructions Declarations of conformity for the machines or devices incorporated into the machinery This documentation does not have to be permanently available in material form. However, it must be possible to assemble it and make it available within a period of time commensurate with its importance. It must be retained for at least ten years following the date of manufacture and be available to present to the relevant national authorities. In the case of series manufacture, that period shall start on the date that the last machine is produced.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-13
3.2 CE marking
Step 6: Issue the declaration of conformity By issuing the EC declaration of conformity, the manufacturer declares that they have considered all the directives that apply to the product. The person signing an EC declaration of conformity must be authorised to represent his company. This means that the signatory is legally entitled to execute a legal transaction, such as signing the EC declaration of conformity, on account of their job function. When an authorised employee of the company adds their valid signature to an EC declaration of conformity, they trigger the liability of the natural responsible person and, if applicable, the company as a legal entity. The declaration may also be signed by an authorised representative, who is established in the EU. The new Machinery Directive requires the declaration to name the person authorised to compile the technical documentation. This person must be established in the EU. Step 7: Affix the CE marking
20
10 5 1 0 1 5 10 17 20 27 37
CE mark characteristics
The CE mark may be affixed once the EC declaration of conformity has been issued. Its important that CE marking for the complete machine is clearly distinguishable from any other CE markings, e.g. on components. To avoid confusion with any other markings, it is advisable to affix the CE marking for the complete machine to the machine type plate, which should also contain the name and address of the manufacturer.
3-14
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.3 Directives
Of the almost 30 active directives now available, only a small selection is relevant to the typical machine builder. Some directives may have a very long or bureaucratic title in addition to the directive number (e.g. 2006/42/EC). Variations can be seen in the last part of the directive number. This will contain EC, EU, EG, EWG or some other abbreviation, depending on the language area and issue date. As a result it is generally very difficult to name the directive. These long titles are often abbreviated separately, even though this can also lead to misunderstandings. Here is a list of some of the key directives with both their official title and their usual, though unofficial, abbreviated title:
Directive 98/37/EC
Official title Directive 98/37/EC of the European Parliament and of the Council of 22 June 1998 on the approximation of the laws of the Member States relating to machinery Directive 2006/42/EC of the European Parliament and of the Council of 17 May 2006 on machinery, and amending Directive 95/16/EC (recast) Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety Directive 2004/108/EC of the European Parliament and of the Council of 15 December 2004 on the approximation of the laws of the Member States relating to electromagnetic compatibility and repealing Directive 89/336/EEC Directive 1999/5/EC of the European Parliament and of the Council of 9 March 1999 on radio equipment and telecommunications terminal equipment and the mutual recognition of their conformity Directive 2003/10/EC of the European Parliament and of the Council of 6 February 2003 on the minimum health and safety requirements regarding the exposure of workers to the risks arising from physical agents (noise) Directive 2006/95/EC of the European Parliament and of the Council of 12 December 2006 on the harmonisation of the laws of Member States relating to electrical equipment designed for use within certain voltage limits Council Directive on the approximation of the laws of the Member States relating to personal protective equipment
2006/42/EC
2001/95/EC
2004/108/EC
EMC Directive
1999/5/EC
2003/10/EC
Noise Directive
2006/95/EC
89/686/EEC
The aim of the directives is to guarantee freedom of movement within the EU. The full texts of the directives http://eur-lex.europa.eu/de/legis/index.htm are available from the EU. Of all these directives, only the Machinery Directive will be examined here in any further detail. However, the list of relevant standards will naturally refer to standards that relate to other directives.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-15
3.3 Directives
3.3.1 Machinery Directive 98/37/EC and its successor 2006/42/EC have special significance in terms of the functional safety of machinery. This directive, generally known as the Machinery Directive, is concerned with the standardisation of European safety requirements on machinery. 3.3.1.1 Content The Machinery Directive covers the key aspects of machine safety. The contents of the Machinery Directive are as follows: Scope, placing on the market, freedom of movement Conformity assessment procedures CE marking Essential health and safety requirements Categories of machinery and the applicable conformity assessment procedures EC declaration of conformity and type-examination Requirements of notified bodies 3.3.1.2 Validity The Machinery Directive 2006/42/EC replaced the previous version 98/37/EC with effect from 29.12.2009. There is no transition period. 3.3.1.3 Standards relating to the Machinery Directive At this point, it makes no sense to name all the standards that are listed under the Machinery Directive and are therefore considered as harmonised. As of Spring 2011, there were more than 700 standards listed directly. To then add all the standards that are relevant indirectly via the standards that are listed directly, would go far beyond the scope of this compendium. The following chapters will therefore concentrate on those standards for the Machinery Directive which are of general significance.
3-16
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
3.4.1 Publishers and scope At European level, harmonisation of the legislation also triggered harmonisation of the standards. Traditionally, almost every country has one or more of its own standards institutes. There are also some international co-operations. This means that the same standard is published at different levels under different names. In most if not all cases, the generic name of the standard is continued and recognisable as part of the national standard name. More about that below. 3.4.1.1 International standards At international level, the most important publishers of engineering standards are probably the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO), both of which are based in Geneva. While the IEC is primarily concerned with electrical and electronic issues, ISO deals mainly with mechanical issues. Well over 100 countries are currently members of the two organisations, which gives considerable weight to those standards developed by IEC and ISO. The EN standards are applied at European level. EN standards are normally developed through CEN and CENELEC as an EU initiative. As with IEC and ISO, CEN and CENELEC divide up the standards. CENELEC is responsible for electrical issues. Today, many standards are developed almost in a package as an IEC or ISO standard in co-operation with the EU via CEN and CENELEC. EN IEC or EN ISO standards are the result of these efforts. 3.4.1.2 National standards The diversity of national standards and standards institutes is almost unmanageable. In the EU at least, the aim is to produce the majority of standards directly as an EN standard, which is then reflected at national level, i.e. the EN standard is declared a national standard or the national standard is introduced as an EN standard. In Germany for example, the German Institute for Standardization (Deutsche Institut fr Normung - DIN) is responsible for publishing national standards. Today its common practice for DIN standards to be developed and published directly in conjunction with CEN or CENELEC as DIN EN ISO or DIN EN. The only difference between these standards is usually the national preface to the EN, ISO or IEC standard. The same standard will come into effect at EU level as an EN ISO or EN IEC standard, while the identical German standard is called DIN EN ISO or DIN EN. In other European countries, the procedure is virtually the same except that a different institute publishes the standard. In Austria, this will be the Austrian Standards Institute (sterreichisches Normungsinstitut - Norm), while Great Britain has the British Standard (BS). If an ISO standard becomes an EN standard, its title will be EN ISO. If it then becomes a DIN standard, its full title will be DIN EN ISO. The more local the institute, the further forward it appears in the name. One curious aside: If an IEC standard becomes an EN standard, the IEC name is dropped. IEC 61508 becomes the European standard EN IEC 61508 or the German DIN EN IEC 61508. While many countries such as China or Switzerland, for example, also follow the European procedure for a centralised standards institute, there are still some nasty surprises to be had elsewhere. In the USA, standards are published by ANSI, RSA and UL, among others. Sometimes there are co-operations such as ANSI ISO or UL IEC standards, but unfortunately there is no simple rule.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-17
3.4 Standards
3.4.2 EN engineering safety standards There is no intention at this point to provide a complete list of the European engineering safety standards. Over 600 standards are listed as harmonised under the Machinery Directive alone. The following section addresses a selection of the general safety standards. They are explained in various degrees of detail, depending on the significance of the individual standard.
Title Safety of machinery Minimum gaps to avoid crushing of parts of the human body Safety of machinery Human body measurements Safety of machinery Two-hand control devices Functional aspects Principles for design Safety of machinery Safety of machinery. Guards. General requirements for the design and construction of fixed and movable guards Safety of machinery Human physical performance Safety of machinery Prevention of unexpected start-up Safety of machinery Interlocking devices associated with guards. Principles for design and selection Safety of machinery Integrated manufacturing systems Basic requirements Safety of machinery General principles for design. Risk assessment and risk reduction
EN 953:2009
Yes
EN 1005-1 to -4:2008 EN 1005-5:2007 EN 1037:2008 identical to ISO 14118:2000 EN 1088:2007 equates to ISO 14119:2006 EN ISO 11161:2010 EN ISO 12100:2010 replaces EN ISO 12100-1 and 2; EN ISO 14121; EN 292 EN 12453:2000 EN ISO 13849-1:2009
Yes No Yes
Yes
No Yes
No Yes
Industrial, commercial and garage doors and gates. Safety in use of power operated doors Requirements Safety of machinery Safety-related parts of control systems Part 1: General principles for design Safety of machinery Safety-related parts of control systems Part 2: Validation Safety of machinery Positioning of safeguards with respect to the approach speeds of parts of the human body Safety of machinery Safety distances to prevent hazard zones being reached by upper and lower limbs Safety of machinery Interlocking devices associated with guards. Principles for design and selection
EN ISO 13849-2:2008
Yes
Yes
Yes
No
3-18
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
Standard EN ISO 14121-1:2007 replaces EN 1050 ISO TR 23849:2010 identical to IEC TR 62061-1:2009 EN 60204-1:2010 EN 60947-5-1:2009 EN 60947-5-2:2008 EN 60947-5-3:2007 EN 60947-5-4:2003 EN 60947-5-5:2006 EN 60947-5-6:2001 EN 60947-5-7:2003 EN 60947-5-8:2007 EN 60947-5-9:2008 EN 61326-3 Parts 1+2:2008 EN 61496-1:2010 Harmonised Yes No Title Safety of machinery Risk assessment Part 1: Principles Guidance on the application of ISO 13849-1 and IEC 62061 in the design of safety-related control systems for machinery Safety of machinery Electrical equipment of machines - Part 1: General requirements Low voltage switchgear and controlgear Part 5: Control circuit devices and switching elements
Yes Yes
No Yes
Electrical equipment for measurement, control and laboratory use. EMC requirements Safety of machinery Electrosensitive protective equipment Part 1: General requirements and tests Safety of machinery Electrosensitive protective equipment Part 2: Particular requirements for equipment using active optoelectronic protective devices (AOPDs) Safety of machinery Electrosensitive protective equipment Part 3: Particular requirements for active optoelectronic protective devices responsive to diffuse reflection (AOPDDR) Functional safety of safety-related electrical, electronic and programmable electronic control systems Functional safety Safety instrumented systems for the process industry sector Industrial communication networks Profiles Part 3: Functional safety fieldbuses General rules and profile definitions Adjustable speed electrical power drive systems Part 5-2: Safety requirements. Functional Safety of machinery Application of protective equipment to detect the presence of persons Safety of machinery Functional safety of safety-related electrical, electronic and programmable electronic control systems Industrial communication networks Profiles Assessment guideline for safety devices using IEC 61784-3 functional safety communication profiles (FSCPs) Industrial machinery
No
CLC/TS 61496-3:2008 replaces EN 61496-3:2003 EN 61508 Parts 1-7:2010 EN 61511 Parts 1-3:2004 EN 61784-3:2010
No
No No No
No No
EN 62061:2010
Yes
IEC/TR 62685:2010
No
NFPA79:2009
No
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-19
3.4 Standards
3.4.3 Generic standards and design specifications 3.4.3.1 EN ISO 12100 and EN ISO 14121
Standard EN ISO 12100:2010 replaces EN ISO 12100-1 and 2; EN ISO 14121 Transition period until 30.11.2013 EN ISO 12100-1:2009 replaces EN 292 EN ISO 12100-2:2009 replaces EN 292 EN ISO 14121-1:2007 replaces EN 1050 Harmonised Yes Title Safety of machinery General principles for design. Risk assessment and risk reduction
Yes
Safety of machinery - Basic concepts, general principles for design Part 1: Basic terminology, methodology Safety of machinery - Basic concepts, general principles for design Part 1: Technical principles Safety of machinery - Risk assessment Part 1: Principles
Yes
Yes
The standards EN ISO 12100-1 and -2 plus EN ISO 14121-1 essentially explain the principles and methods by which a risk assessment, risk analysis and risk minimisation should be carried out. ENISO14121-1 replaces its predecessor EN 1050. The two-part standard EN ISO 12100 replaces EN 292. All three standards are harmonised and so are particularly helpful for the European legal area. In 2011, ENISO12100 provided a further summary of EN12100-1 and -2 plus EN14121. This standard is identical in content to the named standards and simply summarises them within one document. The transition period in which the standards can coexist has been set until 30.11.2013. The diagram overleaf (see page 3-21) identifies the individual elements examined in these standards. Its worth noting that some aspects overlap between the standards and have therefore been merged within ENISO12100. Some diagrams are repeated within the standards, at least as extracts. Together these standards provide a good selection of the hazards, risk factors and design principles that need to be considered.
Elements within the diagram that have a dark yellow background are the areas covered by the user standards EN ISO 13849-1 and EN/IEC 62061 and are examined there in greater detail. Where possible the diagram refers to the corresponding clauses that cover the relevant aspect within the standards. Some points can certainly be found in several standards, but the level of detail generally varies.
3-20
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
Risk assessment Clause 5 Risk analysis START
Determination of the limits of the machinery space, time, environmental conditions, use Clause 5.3
EN ISO 12100 EN ISO 12100-1 EN ISO 12100-2 EN ISO 13849-1 EN ISO 14121-1 EN/IEC 62061
The following versions of the standards have been F quoted: Replacement for* d 2010 2009* 2009* 2009 2007* 2010*
Hazard identication for all lifecycles and operating modes Clause 5.4 and Annex B Separate for each risk Risk estimation Severity, possibility of avoidance, frequency, duration
Yes
Clause 5.5 EN/IEC 62061 Annex A EN ISO 13849-1 Annex A (risk graph)
Yes
Documentation Clause 7
END
Yes
No
Risk reduction by inherently safe design measures Clause 6.2 Is the intended risk reduction achieved? No Implementation of safety function SRCF/SRP/CS EN ISO 13849-1/EN/IEC 62061
Can the risk be reduced by inherently safe design measures? No Can the risk be reduced by guards and other safeguards? No
Yes
Yes
Yes
Yes
No
Yes
Risk estimation and risk reduction in accordance with EN ISO 12100. Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2011-11 Pilz GmbH & Co. KG, 2012 3-21
3.4 Standards
3.4.3.2 IEC/TR 62685 Test requirements and EMC
Standard IEC/TR 62685:2010 Harmonised No Title Industrial communication networks Profiles Assessment guideline for safety devices using IEC 61784-3 functional safety communication profiles (FSCPs)
IEC/TR62685 was produced from the test requirements of the German BGIA document GS-ET-26 and covers the requirements of safety components within a safety function. It covers the issue of labelling and EMC as well as mechanical and climatic tests. This closes some of the gaps left by ENISO13849-1 and EN61784-3. Overall the
document is more relevant to safety component manufacturers than plant and machine builders. However, as the document contains a good comparison of EMC requirements, it may also be of interest to machine builders.
The EN61784-3 series of standards covers a whole range of safety enhancements for different fieldbus profiles, based on the specifications of EN61508. These enhancements are handled as security profiles and describe the mechanisms and technical details of these profiles. For the average machine builder, at most the generic part of EN61784-3 will be of interest, as this is the part that describes the general safety principles. The profile documents EN61784-3-x are mainly intended for device
manufacturers who wish to build their own safety devices in accordance with one of the published profiles. In this case, it makes sense to work in cooperation with the relevant user groups behind these profiles, as they will be familiar with the basic profiles described in the series EN61784-1 and -2, as well as EN61158. A complete profile consisting of the relevant parts of EN61784 and EN61158 will contain between 500 and 2,000 pages. All the profiles together amount to around 10,000 pages.
3-22
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
3.4.3.4 EN ISO 13849-1
Standard EN ISO 13849-1:2008 Harmonised Yes Title Safety of machinery Safety-related parts of control systems Part 1: General principles for design
Content EN ISO 13849-1 addresses the issue of risk assessment using a risk graph and also deals with the validation of safety functions based on structural and statistical methods. The objective is to establish the suitability of safety measures to reduce risks. In terms of content, therefore, it is almost on a par with EN 62061. The work involved in making the calculations required under this standard can be reduced considerably if appropriate software is used. Calculation tools such as the Safety Calculator PAScal are available as free software: http://www.pilz.de/products/software/tools/f/ pascal/index.de.jsp
Scope EN ISO 13849-1 is a generic standard for functional safety. It has been adopted at ISO level and within the EU is harmonised to the Machinery Directive. It therefore provides presumption of conformity within the EU. The scope is given as the electrical, electronic, programmable electronic, mechanical, pneumatic and hydraulic safety of machinery. Risk assessment/risk analysis Risks are assessed in EN ISO 13849-1 with the aid of a risk graph. The assessed criteria include severity of injury, frequency of exposure to the risk and the possibility of avoiding the risk. The outcome of the assessment is a required performance level (PLr) for the individual risks. In subsequent stages of the risk assessment, the levels determined using the risk graph are aligned with the selected risk reduction measures. For each classified risk, one or more measures must be applied to prevent the risk from occurring or to sufficiently reduce the risk. The quality of the measure in the performance level must at least correspond to the level determined for the respective risk.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-23
3.4 Standards
Determination of the required performance level PLr Just 3 parameters need to be examined to assess the performance level (PL):
Severity of injury Slight (normally reversible injury) Serious (normally irreversible injury including death) S S1 S2
Assessment of the risk begins at the starting point on the graph and then follows the corresponding path, depending on the risk classification. The required performance level PLr a, b, c, d or e is determined once all the parameters have been assessed. Assessing the implementation/examining the system EN ISO 13849-1 works on the assumption that there is no such thing as a safe device. Devices only become suitable through an appropriate design for use in applications with increased requirements. As part of an assessment each device is given a PL, which describes its suitability. Simple components can also be described via their MTTFd (Mean time to dangerous failure) or B10d value (Mean number of cycles until 10% of the components fail dangerously). The following considerations examine how the failure of devices or their components affects the safety of the system, how likely these failures are to occur and how to calculate the PL.
Frequency and/or exposure to a hazard Frequent to continuous and/or exposure time is long
Possibility of avoiding the hazard Possible under specific conditions Scarcely possible
P P1 P2
The required performance level PLr is calculated using the following graph and the classification of the individual parameters.
High contribution to risk reduction Risk graph in accordance with EN ISO 13849-1.
3-24
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
Determination of common cause failures CCF factor The CCF factor is determined through a combination of several individual assessments. One of the first key parameters to examine is the system architecture. Systematic effects in particular need to be assessed, such as the failure of several components due to a common cause. The competence and experience of the developers are also evaluated, along with the analysis procedures. An evaluation scale is used, on which a score of between 0 and 100% can be achieved.
Requirement Physical separation of safety circuits and other circuits Diversity (use of diverse technologies) Design/application/experience Assessment/analysis Competence/training Environmental influences (EMC, temperature, ...) Score 15 % 20 % 20 % 5% 5% 35 %
PL assessment IEC ISO 13849-1 uses the diagnostic coverage (DC), system category and the systems MTTFd to determine the PL (performance level). The first value to be determined is the DC. This depends on DD (failure rate of detected dangerous failures) and Dtotal (failure rate of total dangerous failures). In the simplest case this is expressed as:
DC = DD / Dtotal
DCavg
DC1 DC2 DCN + ... + + MTTFd1 MTTFd2 MTTFdN = 1 1 1 + + + MTTFd1 MTTFd2 ... MTTFdN
With EN ISO 13849-1, the effect of the CCF is deemed acceptable if the total score achieved is > 65%.
With homogenous or single-channel systems, the MTTFd value can be established approximately as the sum of the reciprocal values of the individual components, corresponding to the MTTFd value of a single channel:
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-25
3.4 Standards
With dual-channel, diverse systems, the MTTFd value of both channels needs to be calculated separately. Both values are included in the calculation of the combined MTTFd, using the formula below.
Denotation of MTTFd Low Medium High MTTFd 3 years MTTFd < 10 years 10 years MTTFd < 30 years 30 years MTTFd < 100 years
MTTFd =
2 MTTFd, C1 + MTTFd, C2 3
1 1
MTTFd, C1 MTTFd, C2
Here too, a table is used to derive a qualitative evaluation from the numeric value, which is then used in subsequent considerations.
The system architecture can be divided into five different categories. The achieved category depends not only on the architecture, but on the components used and diagnostic coverages. The graphic below illustrates some classifications by way of example.
Category B, 1
Category 2
OSSD1
OSSD2
Category 3
Category 4
Instantaneous
Delayed
3-26
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
In a final assessment stage, a graphic is used to assign the PL based on the recently calculated values. At ISO level the current situation is that ISO 13849-1:1999 (identical content to EN 954-1) was replaced by ISO 13849-1:2006 with immediate effect. So ISO954-1 ceased to apply in 2006. There is no transition period. C standard refers to EN954-1
3 years 10 years 30 years MTTFoc = low, Cat B DCavg = none Cat 1 DCavg = none MTTFoc = medium, Cat 2 DCavg = low MTTFoc = high Cat 3 DCavg = low 100 years Cat 3 DCavg = med. Cat 4 DCavg = high
The most practical approach is to select the column for Category and DC first. Then choose the relevant MTTFd range from the bar. The PL result can now be read from the left-hand scale. In most cases, some interpretation will still be required, as often there is no clear relationship between the MTTFd range and the PL. The final step is to compare the required PLr level from the risk assessment with the achieved PL. If the achieved PL is greater than or equal to the required PLr, the requirement for the implementation is considered to have been met. Transition periods EN 954-1 and ISO 13849-1:1999 to EN ISO 13849-1:2008 Since 08.05.2007, EN 954-1 has ceased to be listed in the Official Journal of the EU and as such is no longer regarded as harmonised. It does remain significant, however. This is because it is named as the reference of the superseded standard in its successor, EN ISO 13849-1:2008. The corresponding publication establishes that presumption of conformity for EN 954-1 shall apply until 31.12.2011. After that date, presumption of conformity shall no longer apply for EN 954-1.
So what happens now to the C standards, also known as product standards, which refer to EN 954-1 or ISO 13849-1:1999 and require a particular category in accordance with EN 954-1 or ISO 13849-1:1999 for specific safety functions, for example? CEN and EN have the task of resolving such problems quickly and of rewording these standards so that they refer to EN ISO 13849-1. However, the situation has arisen in which a series of C standards have not been adapted within the stipulated time. At the time of going to print (Q2/2011), around 160 of more than 600 harmonised standards had still not been updated. As a result, there are valid standards that refer to the withdrawn standards EN954-1 or ISO13849-1:1999. References to ISO13849-1:1999 are almost worthless as they have no direct validity in the EU. The usual procedure of referring to the successor of EN 954-1 will fail in this case because the way in which safety functions are considered has changed substantially and the categories required for implementation in EN ISO 13849-1:2006 mean something different. What does that mean for someone who needs to certify a machine for which such a C standard exists? In this case, EN 954-1 and ISO 13849-1:1999 will still be applicable, through the back door as it were.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-27
3.4 Standards
Irrespective of this situation, the advice would be to carry out a separate risk assessment and certification in accordance with ENISO13849-1:2008. A helpful procedure is to estimate the risks described in the C standard and document the parameters S, F and P, which are present in both standards. This allows the relevant risk graphs to be used to carry out a clear risk classification for the two old standards as well as for EN ISO 13849-1:2008. If the results from the assessment in accordance with EN 954-1 or ISO 13849-1:1999 correspond to those of the C standard, this can be used to confirm the corresponding classification in accordance with EN ISO 13849-1:2008. EN 954-1 despite the C standard referring to EN ISO 13849-1 Even if the relevant C standard for a product already refers to 13849-1:2008, it is still technically possible to apply EN 954-1. Ultimately, however, the possibility of EN 954-1 not being recognised as the state of the art in any legal dispute cannot be excluded, because it already has a successor standard (EN ISO 13849-1:2008). The state of the art is a basic requirement for the safety-related development of products in accordance with the Machinery Directive; as a result, the products concerned would not comply with the Machinery Directive, which would have direct consequences for product liability. What does that mean for someone who needs to certify a machine for which such a C standard exists? In this case, EN 954-1 and ISO 13849-1:1999 will still be applicable, through the back door as it were, even after 29.12.2009 Irrespective of this situation, after this date the machine builder is still free to carry out his own risk assessment and certification in accordance with EN ISO 13849-1:2006. A helpful procedure would be to estimate the risks described in the C standard and document the parameters S, F and P, which are present in both standards. This would allow the relevant risk graphs to be used to carry out a clear risk classification for the two old standards as well as for EN ISO 13849-1:2006. If the results from the assessment in accordance with EN954-1 or ISO 13849-1:1999 correspond to those of the C standard, this can be used to confirm the corresponding classification in accordance with EN ISO 13849-1:2006.
3-28
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
3.4.3.5 EN ISO 13855
Standard EN ISO 13855:2010 replaces EN 999 Harmonised Yes Title Safety of machinery Positioning of safeguards with respect to the approach speeds of parts of the human body
ENISO13855 primarily defines human approach speeds. These approach speeds need to be considered when designing safety measures and selecting the appropriate sensor technology. Different speeds and sizes are defined, depending on the direction and type of approach. Even an indirect approach is considered. The problem regarding measurement of the overall stopping performance is considered alongside the measurement of safety distances. Clear specifications are provided as to how the overall stopping performance should and should not be measured.
EN ISO 13857 was first published in 2008 and examines the safety distances required to prevent hazard zones being reached by the upper and lower limbs. It is worth stressing that this standard makes it clear that different anthropometric data (size, length of limbs) may apply for other populations or groups (e.g. Asian countries, Scandinavia,
children) and that this could give rise to other risks. Application of this standard may therefore be restricted, particularly in the public domain or when exporting to other countries.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-29
3.4 Standards
3.4.3.7 EN 61511 Safety instrumented systems for the process industry sector
Standard EN 61511 Parts 1-3:2005 Harmonised No Title Functional safety Safety instrumented systems for the process industry sector
The EN61511 series of standards covers safety issues concerning plants and systems in the process industry. As a sector standard of EN 61508, the EN 61511 series is a sister standard of EN 62061. This is reflected in the similar observations and mathematical principles contained in the 3 standards. However, an important difference for most end users, as well as component manufacturers, is the differentiation between the demand modes. High demand modes have always been assumed in engineering, but EN 61511 also
recognises a low demand mode. The key characteristic for this mode is that a safety function is demanded (operated) less than once per year. As a result, EN61511 introduced a PFD (Probability of failure on low demand) alongside the PFH (Probability of failure on high demand) and SILcl. It is particularly worth noting that the SILcl for Low Demand Mode may vary from the SILcl for High Demand Mode.
3.4.3.8 EN 62061
Standard EN 62061:2005 Harmonised Yes Title Safety of machinery Functional safety of safety-related electrical, electronic and programmable electronic control systems
Content EN 62061 addresses the issue of risk assessment using a risk graph, which in this case is in the form of a table. It also deals with the validation of safety functions based on structural and statistical methods. As with EN ISO 13849-1, the objective is to establish the suitability of safety measures to reduce risks. As with EN 13849-1, there is considerable work involved in making the calculations required under this standard. This can be reduced considerably if appropriate software is used, such as the Safety Calculator PAScal. http://www.pilz.de/ products/software/tools/f/pascal/index.de.jsp
Scope EN IEC 62061 is one of the generic standards for functional safety. It has been adopted at IEC level and in the EU is harmonised as a standard within the Machinery Directive. It therefore provides presumption of conformity within the EU. The scope is given as the electrical, electronic and programmable electronic safety of machinery. It is not intended for mechanical, pneumatic or hydraulic energy sources. The application of EN ISO 13849-1 is advisable in these cases.
3-30
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
Risk assessment/risk analysis Risks are assessed in IEC 62061 using tables and risk graphs. The evaluations made for each individual risk include the severity of potential injuries, the frequency and duration of exposure, the possibility of avoidance and the probability of occurrence. The outcome of the assessment is the required safety integrity level (SIL) for the individual risks. In subsequent stages of the risk assessment, the levels determined using the risk graph are aligned with the selected risk reduction measures. For each classified risk, one or more measures must be applied to prevent the risk from occurring or to sufficiently reduce the risk. The SIL for that measure must at least correspond to the required SIL, determined on the basis of the risk. Determination of the required SIL According to EN IEC 62061 there are four different parameters to assess. Each parameter is awarded points in accordance with the scores in the following tables. SIL classification, based on the above entries, is made using the table below, in which the consequences are compared with the Class Cl. Class Cl is the sum total of the scores for frequency, duration, probability and avoidance. Areas marked with OM indicate that the standard recommends the use of other measures in this case.
Frequency and 1 hour > 1 hour 1 day > 1 day 2 weeks > 2 weeks 1 year > 1 year
Fr 5 5 4 3 2
Fr 5 4 3 2 1
Pr 5 4 3 2 1
Avoidance
Av
5 3 1
Consequences S Death, losing an eye or arm Permanent, losing ngers Reversible, medical attention Reversible, rst aid 4 3 2 1 3-4 SIL 2 5-7
Class Cl = Fr+Pr+Av 8-10 SIL 2 SIL 1 OM 11-13 SIL 3 SIL 2 SIL 1 OM 14-15 SIL 3 SIL 3 SIL 2 SIL 1 SIL 2 OM
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-31
3.4 Standards
Assessing the implementation/examining the system The principle assumption is that there is no such thing as a safe device. Devices only become suitable through an appropriate design for use in applications with increased requirements. As part of an assessment each device is given an SIL, which describes its suitability. Simple components can also be described via their MTTFd or B10d value. The following considerations examine how the failure of devices or their components affect the safety of the system, how likely these failures are to occur and how to calculate the SIL. Determination of common cause failure CCF factor The CCF factor is determined through a combination of several individual assessments. One of the first key parameters to examine is the system architecture. Systematic effects in particular need to be assessed, such as the failure of several components due to a common cause. The competence and experience of the developer are also evaluated, along with the analysis procedures. An evaluation scale is used, on which there are 100 points to be assigned.
Requirement Physical separation of safety circuits and other circuits Diversity (use of diverse technologies) Design/application/experience Assessment/analysis Competence/training Environmental influences (EMC, temperature, ...) Score 20 38 2 18 4 18
The next step is to determine the factor (beta), based on the points achieved using the following table.
factor Common cause factor < 35 35 - 65 66 - 85 86 - 100 10 % (0.1) 5 % (0.05) 2 % (0.02) 1 % (0.01)
3-32
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
SIL assessment In EN 62061, the maximum achievable SIL is determined via the dependency between the hardware fault tolerance and the safe failure fraction (SFF). The SFF is calculated by assessing all possible types of component failures and establishing whether each of these failures results in a safe or unsafe condition. The result provides the systems SFF. The structural analysis also indicates whether there is any fault tolerance. If the fault tolerance is N, the occurrence of N+1 faults can lead to the loss of the safety function. The following table shows the maximum potential SIL, based on the fault tolerance and SFF.
The failure rates of the individual components and their D fraction (dangerous failures) can be determined via PFHD formulas, which are dependent on architecture. These formulas can be extremely complex, but always have the format:
The combined consideration of hardware, fault tolerance, category, DC, PFHD and SFF provides the following SIL assignment. All conditions must always be met. If one single condition is not met, the SIL has not been achieved.
PFHD = f ( Di , , T1 , T2 , DC i )
where T2 Diagnostic test interval T1 Minimum test interval and mission time
PFHD 10-6 2x10-7 2x10 3x10
-7
Cat. 2 3 3 4 4
SFF 60 % 0% 60 % 60 % > 90 %
DC 60 % 60 % 60 % 60 % > 90 %
SIL 1 1 2 3 3
3x10-8
-8
The final step is to compare the required SIL from the risk assessment with the achieved SIL. If the achieved SIL is greater than or equal to the required SIL, the requirement for the implementation is considered to have been met.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-33
3.4 Standards
3.4.3.9 EN 954-1 This standard has been withdrawn and replaced by EN ISO 13849-1. See page 3-24 for details of the transition periods.
3.4.3.10 EN 60204-1
Standard EN 60204-1:2007 Harmonised Yes Title Safety of machinery Electrical equipment of machines Part 1: General requirements
The harmonised standard EN 60204-1 considers the electrical safety of non-hand-guided machinery with voltages up to 1000 VDC and 1500 VAC. Its
scope is therefore such that there are very few industrial machines that it does not affect.
3.4.3.11 EN 61508
Standard EN 61508-1:2010 EN 61508-2:2010 EN 61508-3:2010 EN 61508-4:2010 EN 61508-5:2010 EN 61508-6:2010 EN 61508-7:2010 Harmonised No Title Functional safety of safety-related electrical, electronic and programmable electronic control systems
EN 61508 is the key standard dealing with the functional safety of control systems. It has 7 parts in total and all together contains around 1000 pages of text. Its important to note that EN 61508 has not been harmonised. Only its sector standard EN62061 can claim harmonisation. The whole EN 61508 standards package was completely revised in 2010 and Edition 2 is now available. A key component of EN 61508 is the examination of the complete lifecycle from a safety perspective (in Part 1), with detailed requirements of the procedure and the content of the individual steps; its essential to both machine builders and safety component manufacturers alike.
This standard is also focused on the design of electrical systems and their corresponding software. However, the standard is to be generally expanded and will also apply for all other systems (mechanics, pneumatics, hydraulics). Manufacturers of safety components such as safety relays, programmable safety systems and safety sensor/actuator technology are likely to derive the most benefit from this standard. Overall, when it comes to defining safety levels, end users or system integrators are better advised to use the much less complex EN 62061 or EN ISO 13849-1, rather than EN 61508. Another sector standard of EN 61508 is EN 61511, which is applicable for the process industry sector.
3-34
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
Technical requirements PART 1 Development of the overall safety requirements (concept, scope, denition, hazard and risk analysis) 7.1 to 7.5 Other requirements PART 4 Denitions and abbreviations PART 5 Examples of methods for the determination of safety integrity levels PART 1 Documentation Clause 5 and Annex A
PART 1 Allocation of the safety requirements to the E/E/PE safety-related systems 7.6
PART 1 Specication of the safety requirements for safety-related E/E/PE systems 7.10
PART 3 Realisation phase for safety-related software PART 7 PART 1 Overview of techniques and measures
Installation, commissioning and safety validation of E/E/PE safety-related systems 7.13 and 7.14
PART 1 Operation and maintenance, modication and retrot, decommissioning or disposal of E/E/PE safety-related systems 7.15 to 7.17
Extract from DIN EN 61508-1, overall framework of the safety assessment in accordance with EN 61508. Overall framework of the IEC 61508 series of standards.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-35
3.4 Standards
1 Concept
10 E/E/PE safety-related systems Realisation (see E/E/PE system safety lifecycle) Overall planning 8 Overall installation and commissioning planning 12 Overall installation and commissioning
16 Decommissioning or disposal
Overall safety lifecycle in accordance with EN 61508-1. 3-36 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2008-11 Pilz GmbH & Co. KG, 2012
3.4 Standards
3.4.3.12 EN 61326-3
Standard EN 61326-3 Part 1 and 2:2008 Harmonised No Title Electrical equipment for measurement, control and laboratory use EMC requirements
With the release of EN 61326-3-1 and EN 61326-3-2, since 2008 there have been two standards providing information on immunity requirements in respect of the EMC level on safety devices. Both parts have been specified with different immunity requirements. Part EN 61326-3-1 is the general section with more stringent requirements. This part was drawn up with a particular view towards mechanical engineering. In contrast, part EN 61326-3-2 was written with a view towards the process industry and the immunity requirements are significantly lower. In engineering, therefore, it should always be ensured that the test
requirements in accordance with EN 61326-3-1 are met as a minimum. As the origin of both these standards is still very recent and there are no forerunners to refer back to, it will still be some time before they are reflected in the relevant device certificates. In general, it should be noted that product or sector standards also set EMC requirements, but these are mostly below the requirements stated in EN 61326-3-1.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-37
3.4 Standards
3.4.4 Product standards 3.4.4.1 EN 1088 and ISO 14119
Standard EN1088:2007 ISO 14119:2006 Harmonised Yes No Title Safety of machinery Interlocking devices associated with guards. Principles for design and selection
EN 1088 was published back in 1995. The 2007 amendment is just a first step towards the new version and unification with ISO 14119. The purpose of the standard is to specify exact requirements to improve provisions for reducing the ability of the machine operator to defeat safety equipment. Investigations have shown that opera-
tors often attempt to defeat the safety function of an interlocking guard by defeating the interlock. The ability to defeat safety equipment can mainly be attributed to deficiencies in the machine design.
EN 61496-1:2010
Yes
No
No
While the 61496 series describes product-specific requirements of electrosensitive protective equipment, IEC/TS 62046 focuses on the selection and measurement of electrosensitive protective equipment such as light beam devices, light grids or scanners. As such, it is one of the key standards for machine builders when it comes to designing machine access areas and safeguarding material channels.
The EN 61496 series of standards considers electrosensitive protective equipment. This includes devices such as light grids, laser scanners, light beam devices, safe camera systems and other sensors, which can all be used for non-contact protection. As EN 61496 is a product standard for safety components, it is only relevant for the typical user if the safety components he has used are intended to conform to these standards.
3-38
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.4 Standards
3.4.4.3 EN 61800-5-2
Standard EN 61800-5-2:2007 Harmonised No Title Adjustable speed electrical power drive systems Part 5-2: Safety requirements. Functional
The non-harmonised EN 61800-5-2 is aimed at both drive manufacturers and users. It deals with the issue of drive-based safety, but without specifying any requirements regarding safety-related suitability. No safety level is established, nor is there any definite hazard or risk evaluation. Instead, the standard describes mechanisms and safety functions of drives in an application environment, and how these are verified and planned within the drives lifecycle. Technologically, the standard is based on EN 61508, even though proximity with EN ISO 13849-1 might have been anticipated, given the ever-present mechanical aspect of the drives.
Manufacturers of safe drives focus on EN 61800-5-2.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-39
3.4 Standards
3.4.5 Application standards 3.4.5.1 EN ISO 11161 Integrated manufacturing systems
Standard EN ISO 11161:2010 Harmonised No Title Safety of machinery Integrated manufacturing systems Basic requirements
This standard deals with the safety aspects when assembling machines and components into a manufacturing system (IMS). It does not deal with the requirements of the individual components and machines. The standard is of particular interest to
operators and system integrators who operate or design machine pools and plants incorporating machines and components. This standard should be applied in close co-operation with EN ISO 12100.
3.4.5.2 NFPA 79
Standard NFPA 79:2008 Harmonised No Title Industrial machinery
This standard is mainly important for the US market, though it may also be applied in Asia.
The standard is concerned with the safe design, operation and inspection of industrial machinery.
3-40
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-41
Brazil The Brazilian Technical Standards Association (ABNT) has incorporated the standards ABNT NBR/IEC 61058-1 and ABNT NBR/IEC 61058-2-1. The possibility of harmonising the standards IEC 61508, IEC 61511 or IEC 62061 has not yet been analysed. Due to increasing globalisation and market requirements, the larger Brazilian companies are independently changing to ISO/IEC standards before ABNT has the chance to incorporate them into Brazilian legislation. Multinational companies or businesses working in the process industry, such as in oil and gas, often apply international ISO/ IEC standards such as IEC 61508.
Russia and the CIS states have implemented GOST-R certification for some years now. Under this procedure, technical devices included on a specific product list must undergo a certain certification process. A European notified body performs a type-examination on machinery and any corresponding technical accessories. The Russian-based approvals body generally recognises this examination. From a safety point of view, therefore, the same requirements apply as in Europe.
3-42
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
The Industrial Safety and Health Law places demands on design issues relating to certain machinery (crane, lift etc.). The law also states that the machine operator is responsible for carrying out risk analyses. He also has to ensure safety in the workplace. It is assumed that the machine operator will ask the machine manufacturer to issue a risk analysis report at the time of purchase and that the machine is designed safely. The law also contains requirements for pressure vessels, personal protective equipment, packaging machines for the food industry and machines that are moved on the public highway. Japan adopts most of the IEC and ISO standards as JIS standards (Japan Industrial Standards); however, the Industrial Safety and Health Law does not yet refer to each of these standards. There are plans to publish a supplementary law to this one, which will look specifically at the issue of performing risk analyses. It is anticipated that this law will refer to JIS (or ISO).
China has introduced CCC certification. Similar to the position in Russia, technical products are subject to mandatory certification through a national approvals body, and production sites are also inspected. If a technical device falls with the scope of the product list, which is subdivided into 19 categories, certification is mandatory. In all other cases, it is necessary to supply a type of declaration of no objection from a national notified body.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-43
In Australia, states and territories have the responsibility of drafting and implementing safety laws. Fortunately the individual laws on industrial safety and their requirements are very similar. The relevant legislation is based on the Occupational Health and Safety (OHS) Act. This defines the obligations and duty of care of people with various responsibilities. Numerous regulations and codes of practice for the various safety areas fall under the state OHS legislation. These regulations are legally binding. Although the codes of practice are not generally legally binding, they are frequently consulted as a benchmark in the respective legal system, whenever it is necessary to assess whether sufficient measures have been taken to design a safe workplace. For this reason, failure to comply with codes of practice can have very serious consequences. As well as referring to the codes of practice, regulations also sometimes refer to the Australian standards drafted by an independent organisation called Standards Australia. However, with a few notable exceptions, Australian standards are not legally binding, although courts frequently consult them in order to assess the measures that have been taken to reduce risks. The most important machinery safety standard in Australia is AS4024.1, for example. Although compliance is not strictly mandatory, it does represent an excellent defence
3-44
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.6 Validation
In mechanical engineering, a validation process must provide evidence that the plant or machine meets the requirements of its specific intended use. The process of verification also examines the functionality of the technical equipment and the safetyrelated parts of control systems, thereby confirming that they fulfil their functions safely, in accordance with the specification. Documentation of the results and solutions from the verification and validation process ensures that the intended target has actually been achieved. With its basic terminology, general principles for design, procedures for evaluating risks (analysis and estimation), plus principles of risk assessment and risk reduction, the harmonised standard ENISO12100 defines important practices for safety-related systems and safety-related parts of plant and machine control systems. Other harmonised standards use this essential standard as a basis for describing the design, structure and integration of safety-related parts of control systems and safeguards: standards such as ENISO13849-1/-2 and EN61508 with its sector standard EN62061 (the origin of validation). In contrast to EN62061, ENISO13849-1/-2 is not restricted to electrical systems but can also be applied to mechanical, pneumatic and hydraulic systems. Both standards (ENISO13849-1/-2 and EN62061) specify essential requirements for the design and implementation of safety-related control systems on machinery and are successors to EN 954-1, which is no longer relevant. In the application of ENISO13849-1/EN62061, there are a number of differences in the design and implementation of safety-related parts of control systems and their subsequent assessment within the validation process.
EN ISO 13849-1/-2 Mechanical, hydraulic, pneumatic systems EN 62061 Electrical, electronic, programmable systems EN 61508 Userprogrammable systems Safety components and system programming
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-45
3.6 Validation
3.6.1 Verification of safety functions in accordance with EN ISO 13849-1/2 Required characteristic data: PL, Category, MTTFd, DC, CCF, B10d The stipulated requirements form the basis for the design and implementation of the safety function (selection of components and architecture). The planned components are grouped into subsystems and the achievable performance level (PL) is defined. Verification of the planned safety function: Achieved PL >= PLr. The validation process confirms the conformity of the configuration and function of the safety-related parts of control systems within the overall specification of the plant and machinery. Note: Guidance on how to implement a validation process and validation tools for various technical systems can be found in ENISO13849-2. 3.6.2 Verification of safety functions in accordance with EN 62061 Required characteristic data: PFH, SIL, MTTFd, DC, CCF, B10d. The implementation of safety functions is designed on the basis of the formulated requirements. This involves the selection of appropriate components and the development of a coherent architecture. The planned components are grouped into subsystems and are the basis for determining the safety integrity level (SIL). Verification of the planned safety function: Achieved SIL >= Required SIL.
PL (ENISO13849-1) a b c d e SIL (EN62061) 1 1 2 3 4
The verification of safety-related parts of control systems must demonstrate that the requirements and specifications have been met in accordance with the applied standard and the safety-related specification. These requirements refer specifically to the properties of a safety function, as defined in accordance with the risk assessment the standard-compliant architecture of the category defined for the safety function. Verification of the safety-related parts of control systems consists of a thorough analysis and, if necessary, the carrying out of additional (function) tests and fault simulations. It is advisable to start the analysis right at the beginning of the design process so that any faults and/or problems can be identified early and dealt with accordingly. The way in which the analysis and tests are carried out will depend on the size and complexity of the control system and the way it is integrated within the plant or machine. It makes sense, therefore, to carry out certain analyses and tests only once the control system has been developed to a certain level. An independent person or body should be commissioned to ensure that the analysis is independent. However, this does not necessarily mean that a third-party needs to be involved. To carry out the validation, a validation plan must first be produced to establish the scope of the analysis and tests. The exact scope and balance between the two processes always depends on the technology that is used and its complexity. The diagram overleaf provides a schematic overview of the validation process.
Comparison chart: performance level (PL) and safety integrity level (SIL).
3-46
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.6 Validation
Design in accordance with EN 954-1 (4) Fault lists (3.2, 3.3) Documents (3.5) Start Validation plan (3.4) Analysis (4) Validation principles (3.1) NO
NO
Testing (5)
YES Safety functions Performance Level: Category MTTFd DC CCF Systematic failures Software Combination/ integration Test SF under fault conditions (3.6) YES
Is testing complete?
Validation report
Modication
NO
End
3.6.3 General information about the validation plan The validation plan must describe all the requirements for carrying out the validation of the specified safety functions and their categories. The validation plan must also provide information about the means to be employed to carry out the validation. Depending on the complexity of the control system or machine that is to be tested, the validation plan must provide information about: the requirements for carrying out the validation plan the operational and environmental conditions the basic and well-tried safety principles the well-tried components the fault assumptions and fault exclusions the analyses and tests to be applied The validation plan also contains all the validation documents.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-47
3.6 Validation
3.6.4 Validation by analysis The validation of safety-related parts of control systems is primarily carried out by analysis. Evidence must be provided to show that all the required properties of a safety function [SRCF] are actually present. The following factors are included in the analysis: the hazards identified in association with the machine the reliability the system structure the non-quantifiable, qualitative aspects which affect system behaviour deterministic arguments such as empirical values, quality features and failure rates Top-down/Bottom-up analysis techniques There are two different techniques to choose from when selecting the analysis technique: the deductive top-down technique and the inductive bottom-up technique. The deductive top-down technique can be applied in the form of a fault tree analysis or event tree analysis. Examples of the inductive bottom-up technique are the failure modes and effects analysis (FMEA) and failure modes, effects and criticality analysis (FMECA). 3.6.5 Validation by testing When validation by analysis is not sufficient to demonstrate the achievement of a specified safety function, further tests will be needed to complete the validation. As many control systems and their requirements are extremely complex, further tests need to be carried out in the majority of cases. In practice the test requires a test plan, which must include the following: the test specifications the expected results the chronology of the individual tests The test results must be documented in a way that is traceable; the test records must include the following as a minimum: the name of the person and/or body undertaking the test the environmental conditions at the time of the test the test procedures and equipment used To demonstrate that the target and defined safety objective has actually been achieved, the test results are then compared with the specifications from the test plan. 3.6.6 Verification of safety functions An important part of validation is verification that the safety functions comply with the intended specifications, functions, categories and architectures. It is important to validate the specified safety functions in all of the plant/machines operating modes. Alongside the basic validation of each safety function, the validation of the PL and/or SIL value within the safety function also has a key role to play. The following steps are required when verifying the safety function that a PL has achieved: Validation of the category Validation of the MTTFd values Validation of the DC values Validation of the measures against common cause failures/CCF Validation of the measures against systematic faults
3-48
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.6 Validation
PL calculation in accordance with the result from the risk assessment Recalculate PL Determine which SF required
Is the PL PL (required)? YES Have the requirements been met? YES Have all SF been fully analysed? If necessary, functional check of safety function on the machine YES
NO
NO
NO
The validation of safety functions is a really complex process and so it is advisable in this case to use a software tool (e.g. PAScal), which can help you to calculate the planned and/or implemented safety functions. Based on the safety-related characteristic values of the planned/employed components, these calculation tools validate the values that have been achieved, including the required/demanded default values PLr or SIL. The advantage of software-based tools is that they guide you step-bystep through the individual stages involved in validating safety functions. The option within the tool for graphic modelling of safety functions gives the tester additional security in his calculations and helps to make the results more traceable.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-49
3.6 Validation
3.6.7 Validation of software The provisions in the standards EN 62061 and EN ISO 13849-1/-2 allow the development of safety-related software in the machine sector for all performance levels and safety integrity levels. As a result, software assumes a high level of responsibility and largely determines the quality of the safety function to be implemented. It is therefore of the utmost importance that the software created is clear, legible and can be tested and maintained. To guarantee the quality of the software, it is also subjected to a validation process during development. The basic principles are: Working to a V-model (development lifecycle incl. verification and validation) Documentation of specification and design Modular and structured programming Functional testing Appropriate development activities after modifications or adjustments A corresponding report is also produced in this case, to confirm that the software conforms to the safety requirement specification; this report forms part of the validation report for the plant or machine. As with the validation of the safety functions, the software should not be validated by the programmer himself but by an independent person.
Customer enquiry
Product
Functional system tests System specication System architecture Implementation manual Safety requirements Safety check
Design specication Hardware and software specication Integration test Module test specication
HW/SW module tests Evidence of functionality Verication (Have we developed the right system?) Evidence of safety and availability Environmental tests
Validation (Have we developed the right system?) Evidence of compliance with product requirements Compliance with the required standards
3-50
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.6 Validation
Today there are some very good, certified software tools available to develop and program safetyrelated software for the relevant safety control system. The use of software tools simplifies the whole validation process, as the blocks contained within the software are essentially pre-certified and at the same time validated. The more these software blocks are used within an application, the less validation work will be needed. The same is true when using parameterisable user software; this also contains pre-validated blocks. The subsequent series of function tests must demonstrate whether the safety functions operate in accordance with their specification. This includes simulation of anticipated faults. 3.6.8 Validation of resistance to environmental requirements When determining the performance of safety-related parts of control systems, environmental conditions such as the environmental site and the way in which the control system will subsequently be used, play an important role in respect of the system. Relevant key words include waterproofing and vibration protection. The system must therefore be validated by analysis. In specific terms, the analysis must show that the control system or system has the mechanical durability to withstand the wide range of stresses from environmental influences such as shock, vibration and ingress of contaminants. Safety-related parts of control systems must maintain a safe condition under all circumstances. The analysis should also consider factors such as temperature, humidity and electromagnetic compatibility. 3.6.9 Production of validation report Finally, after all the verification and validation steps have been carried out, the validation report is produced. This contains all the information about the analyses and tests that have been carried out in traceable form, for both the hardware and software. Cross-references to other documents are permitted provided these are traceable and identifiable. Any safety-related parts of control systems which have failed the validation process should be named, along with the factors that led to their exclusion. 3.6.10 Conclusion Maintenance and repair/periodic tests Naturally, the ravages of time also gnaw away at the performance of safety-related control systems. Wear and tear, corrosion and sustained (mechanical) stresses lead to a reduction in safety; in an extreme case they can even lead to dangerous failures of control components, even the whole control system. For this reason, it is necessary to maintain the safety-related parts of control systems at regular intervals and to carry out periodic tests to check functional safety. A maintenance and repair plan should be available in written form along with records from the periodic tests. The function tests must be carried out by a competent person. Based on the hazard assessment in accordance with 3 of the industrial safety regulations (BetrSichV), the machine or plant operator should define the type, scope and frequency of the periodic tests. To provide details of the industrial safety regulations would be beyond the scope of this chapter; more information on our services can be found on our homepage, webcode: 7057
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-51
3.6 Validation
3.6.11 Appendix The talk, therefore, surrounds basic, well-tried safety principles and safety components, as well as fault exclusions. The tables correspond to the specifications of ENISO13849-1 and ENISO13849-2 and provide a brief overview of the safety-related considerations. Basic safety principles in accordance with ENISO13849-1/EN ISO 13849-2 Features of basic safety principles may be: Use of suitable materials and manufacturing methods, taking into account stress, durability, elasticity and wear Correct dimensioning and shaping, taking into account stresses and strains Pressure limiting measures such as pressure control valves and chokes Speed limiting measures Annexes A-D of EN ISO 13849-2 contain a list of the basic safety principles affecting mechanical, hydraulic, pneumatic and electrical/electronic systems. Well-tried safety principles in accordance with ENISO13849-1/ENISO13849-2 Features of well-tried safety principles are, for example: Avoiding faults, e.g. through the safe position of moving parts of components Reducing the probability of error, e.g. by over-dimensioning components Defining the failure mode, e.g. through positive electrical separation/positive opening contacts Reducing the effect of failures, e.g. by multiplying parts Annexes A-D of EN ISO 13849-2 contain a list of the basic safety principles for mechanical, hydraulic, pneumatic and electrical/electronic systems. Well-tried components in accordance with ENISO13849-1/ENISO13849-2 A component can be regarded as well-tried when it has been widely used in the past with successful results in similar applications made using principles which document the suitability and reliability of the component Annexes A-D of ENISO13849-2 contain a list of well-tried components for mechanical systems, such as screws, springs and cams for example, as well as components for electrical and electronic systems, such as contactors and relays. There are currently no well-tried components listed for pneumatic and hydraulic systems. Fault exclusions in accordance with EN ISO 13849-2 The requirements for applying a fault exclusion must be indicated in the validation plan. It is important that each fault exclusion can be justified with a reasonable, traceable explanation. Annexes A-D of ENISO13849-2 provide an overview of possible fault exclusions based on their presumed faults. For example, these may be: Fracture due to over-dimensioning, on mechanical systems Spontaneous change due to safety device, on pneumatic systems Change of switching times due to positive action, on hydraulic systems Short circuits between adjacent contacts insulated from each other, on electrical/ electronic systems
3-52
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.6 Validation
What can Pilz do for you? Pilz GmbH & Co. KG offers a wide range of services, including validation within the lifecycle of the plant and machinery. By mirroring the risk assessment and the safety concept, the developed solutions are adapted to suit the actual requirements. Validation by Pilz is followed by an objective and systematic review of the implemented measures, evaluation of the technical safeguards and finally function tests. Compliance with all applicable safety standards and directives is assured. With a wealth of experience in validating machinery, Pilz engineers have developed structured methods for inspecting safety-critical elements of plant and machinery. The PAScal calculation tool helps to verify the performance level that has been achieved for the respective safety function. Validation by Pilz includes: Mirroring of the requirements from the risk assessment and safety concept Verification of the achieved performance level in accordance with EN ISO 13849-1/ EN IEC 62061, based on the calculation tool PAScal, Sistema, etc. Verification of the operating manual Function testing and fault simulation (safety check) Testing of the safety-related software and hardware functions Testing of the sensor/actuator technology and its wiring Measurements (protective earth conductor, sound level,...) Production of a test report with detailed information about the results Acceptance of responsibility as the authorised representative by signing the declaration of conformity How you benefit from validation with Pilz Opt for professional methods during the certification process Consider all relevant aspects of validation and certification Delegate responsibility to Pilz Trust in the safety experts. Complete your overall safety process with CE certification To complete your machines safety lifecycle, Pilz can offer CE certification as a final service. In this case, Pilz undertakes the whole conformity assessment process, assuming responsibility for the whole procedure. By signing as the authorised representative on the declaration of conformity, Pilz confirms that the requirements of the directives have been met. As a result you obtain the passport your machine needs throughout the European internal market. Regular inspections and up-to-date knowledge of standards, directives and product developments are essential to anyone wishing to operate their plant or machine safely on a long term basis. In accordance with the industrial safety regulations (BetrSichV) 10, it is essential that electrosensitive protective equipment (for example: light grids, light beam devices, scanners etc.) is properly configured and installed and undergoes regular inspection. Responsibility for this lies fully in the hands of the operator. Regular inspections keep you on the safe side An independent inspection body, accredited by DAkkS (German Accreditation Body) in accordance with DIN EN ISO 17020, guarantees objectivity, high availability for your plant and machine, plus the highest possible safety for your staff. At the end of the process Pilz will submit the inspection report and discuss all the results with you. If the inspection is passed, the plant is given a Pilz quality seal.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-53
3-54
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-55
Accreditation continues to enjoy worldwide recognition due to agreements between DAkkS and the International Laboratory Accreditation Cooperation (ILAC), the International Accreditation Forum (IAF) and the European co-operation for Accreditation (EA).
MRA
MLA
International recognition of DAkkS. MRA = Mutual Recognition Agreement MLA = Multilateral Recognition Arrangement
3-56
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3.7.2 Accreditation or certification Accreditation uses criteria and procedures specifically developed to determine technical competence. Specialist technical assessors conduct a thorough evaluation of all factors in an organisation that affect the production of test or calibration data. The criteria are based on international standards such as ISO/IEC 17020, ISO/IEC 17025 or ISO 15189, which are used worldwide to evaluate accredited organisations. Accredited bodies use this standard specifically to assess factors relevant to technical competence, such as:
Certification, to the standard ISO9001 for example, is widely used by manufacturing and service organisations. It demonstrates that products, services and procedures meet the required quality standards. The aim in certifying an organisations quality management system to ISO9001, for example, is to confirm that the management system conforms to this standard. Although laboratories and inspection bodies can be certified to ISO9001, unlike accreditation, such certification makes no claim regarding technical competence.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-57
3-58
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
3-59
Safeguards
Chapter 4 Contents
4 Safeguards
Chapter 4 4.1 4.1.1 4.1.2 4.1.3 4.2 4.2.1 4.2.2 4.2.3 4.3 4.3.1 4.3.2 4.3.3 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.4.5 Contents Safeguards European Union standards, directives and laws relating to safeguards Standards for guards Standards for dimensioning of guards Standards for the design of protective devices or electrosensitive protective equipment Guards Fixed guards Movable guards Further aspects on the design of safeguards Protective devices Active optoelectronic protective devices Further important aspects in connection with electrosensitive protective equipment Other sensor-based protective equipment Manipulation of safeguards Legal position Conduct contrary to safety What does that mean? What can designers do? User-friendly guards Conclusion Page 4-3 4-3 4-7 4-7 4-7 4-8 4-8 4-9 4-11 4-15 4-15 4-17 4-19 4-22 4-22 4-24 4-26 4-27 4-29
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-1
Chapter 4 Safeguards
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-3
Chapter 4 Safeguards
4-4
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-5
Chapter 4 Safeguards
4-6
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
EN 1088:1995+A2:2008
EN 349:1995+A2:2008
4.1.3 Standards for the design of protective devices or electrosensitive protective equipment
Standard EN 61496-1:2010 Title Safety of machinery Electrosensitive protective equipment Part 1: General requirements and tests Safety of machinery Electrosensitive protective equipment Part 2: Particular requirements for equipment using active optoelectronic protective devices (AOPDs) Safety of machinery Electrosensitive protective equipment Part 3: Particular requirements for active optoelectronic protective devices responsive to diffuse reflection (AOPDDR) Safety of machinery Positioning of safeguards with respect to the approach speeds of parts of the human body
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-7
Chapter 4 Safeguards
4.2 Guards
A guard is part of a machine which is specifically required as a form of physical barrier to protect persons from the hazards of machinery. In some cases the same safeguards can simultaneously protect the machine from persons, for example, if time-critical processes may not be interrupted by persons approaching at random. The study below considers the first scenario only.
Examples of guards
A guard forms a physical barrier between the machine operator and the hazard, in contrast to protective devices or electrosensitive protective equipment such as light curtains and light beam devices, which are covered later. Safeguards of this type do not prevent access to a hazard, but detect a person or part of a persons body when a hazard is approached. In this case, the hazard is shut down via a downstream control system so that the danger is removed before the hazard zone is reached. Depending on its design, a guard may be implemented as housing, casing, shield, door, cover or some other format. Guards are available in a wide range of types and formats, therefore.
4.2.1 Fixed guards Fixed guards are permanently attached to the machine. This type of safeguard is suitable when it is unnecessary to remove the guard under normal operating conditions or when access is not required during the work process. Examples would be chain covers or grilles in front of motor fans.
4-8
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
4.2 Guards
4.2.2 Movable guards If access is required to the danger zone, a movable guard can be used, e.g. a safety gate. The frequency with which access is required will determine whether the guard needs to be fixed or movable. The standards can help you make this decision. EN 953 Where access is required only for machine setting, process correction or maintenance, the following types of guard should be used: a) Movable guard if the foreseeable frequency of access is high (e.g. more than once per shift), or if removal or replacement of a fixed guard would be difficult. Movable guards shall be associated with an interlock or an interlock with guard locking (see EN 1088). b) Fixed guard only if the foreseeable frequency of access is low, its replacement is easy, and its removal and replacement are carried out under a safe system of work. Note: In this case, the term interlock means the electrical connection between the position of the safeguard and the drives to be shut down. In safety technology, the commonly understood mechanical interlock, meaning a lock, is called a guard locking device.
Several safety gates can be monitored with just one evaluation device thanks to series connection.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-9
Chapter 4 Safeguards
4.2 Guards
EN 1088 7.5 Frequency of access (frequency of opening the guard for access to the danger zone) 7.5.1 For applications requiring frequent access, the interlocking device shall be chosen to provide the least possible hindrance to the operation of the guard. A clear distinction should be made between the following: the concept of frequent access required by the normal operation of the machine, as e.g. once per cycle to feed raw products to the machine and remove finished products the concept of occasional access, e.g. to carry out adjustment or maintenance interventions, or for random corrective actions in danger zones Each of these concepts is associated with an order of magnitude differing greatly as to the frequency of human intervention in the danger zone (e.g. one hundred times per hour in the case of one access per cycle, and several times per day in the case of occasional access for adjustment or maintenance during an automatic production process). EN 62061 Frequency and duration of exposure Consider the following aspects to determine the level of exposure: need for access to the danger zone based on all modes of use, for example normal operation, maintenance nature of access, for example manual feed of material, setting It should then be possible to estimate the average interval between exposures and therefore the average frequency of access. Where the duration is shorter than 10 minutes, the value may be decreased to the next level. This does not apply to frequency of exposure 1 h, which should not be decreased at any time. Select the appropriate row for frequency and duration of exposure (Fr) from the following table.
Frequency and duration of exposure (Fr) Frequency of exposure 1h > 1 h to 1 day > 1 day to 2 weeks > 2 weeks to 1 year > 1 year Duration > 10 min 5 5 4 3 2
7.5.2 For applications using interlocking devices with automatic monitoring, a functional test (see 9.4.2.4 of EN 60204-1:1992) can be carried out every time the device changes its state, i.e. at every access. If, in such a case, there is only infrequent access, the interlocking device should be used with additional measures such as conditional guard unlocking (e.g. separate approval), as between consecutive functional tests the probability of occurrence of an undetected fault is increased.
4-10
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
4.2 Guards
Summary Guards which need to be opened during production mode are generally designed as movable guards. These are in complete contrast to fixed guards, which are only operated rarely, for example, when they are opened to carry out maintenance or repair. This classification also needs to be well-founded because different costs will be associated with the type or selection of guard. 4.2.3 Further aspects on the design of safeguards Once the decision has been made to use a movable guard, the next step is to perform a risk assessment in accordance with EN 62061, EN ISO 13849-1 or, for a transitional period, even EN 954-1, to determine the safety level (category, safety integrity level SIL or performance level PL). The corresponding control system is then designed and validated. These control systems will include sensors in the form of switches, which detect the position of the guard. Via this detection feature, hazardous movements can be stopped as a result of the guard being opened. An additional safety function can prevent drives starting up unexpectedly when a safety gate is opened. The drives stopping time will need to be considered: When a safety gate is opened, if it can be assumed that a drive with a long stopping time will generate a hazardous movement, this gate will require a guard locking device. The guard locking device must be unlocked by actively operating a release. This is the only way to guarantee that the safety gate is not released unintentionally as the result of a power failure, for example. In this case, its also important to note that a person who is in the danger zone at the time of the power failure and has shut the safety gate behind him cannot be released by an unlock command on the machine control system. Such a case may be rare, but it is conceivable, so any guard locking devices that are considered will have a mechanical release function. However, operating staff must be sure to have the appropriate actuation tool available. Safety gates connected in series When selecting sensors to scan movable guards, the question arises as to whether such sensors can be connected in series to an evaluation device, and if so, how many? The answer to this question depends on the faults that can be anticipated (see fault lists in EN 13849-2). The following example of safety gates connected in series is intended to illustrate this point:
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-11
Chapter 4 Safeguards
4.2 Guards
1
A1 S31 S32 13 23 33 41 P3 S11 S12 S13 S14 S21 S22 S33 S34 P4
2
A1 S31 S32 13 23 33 41 P3 S11 S12 S13 S14 S21 S22 S33 S34 P4
PNOZ X3P
POWER CH. 1 CH. 2
13 23 33 41
PNOZ X3P
POWER CH. 1 CH. 2
13 23 33 41
14 24 34 42
14 24 34 42
3
A1 S31 S32 13 23 33 41 P3 S11 S12 S13 S14 S21 S22 S33 S34 P4
4
A1 S31 S32 13 23 33 41 P3 S11 S12 S13 S14 S21 S22 S33 S34 P4
PNOZ X3P
POWER CH. 1 CH. 2
13 23 33 41
PNOZ X3P
POWER CH. 1 CH. 2
13 23 33 41
14 24 34 42
14 24 34 42
The example shows three safety gates connected in series to an evaluation device. Initially all the safety gates are closed and the relays outputs are on, i.e. the machine can be operated. On the left-hand safety gate, a short circuit occurs in the line to the switch with the N/C contact: At first the fault is not detected and the machine can continue operating. The left-hand safety gate is then opened, an event which the left switch signals to the relay. During a feasibility comparison of the two switches the relay discovers an inconsistency and switches to a fault condition, i.e. once the safety gate is closed the machine cannot be restarted.
Now the right-hand safety gate is also opened. Via these signals the relay once again detects a normal condition. The fault condition is reset, the safety gates can once again be closed from left to right and the machine is ready to start up again.
This example illustrates an undetected fault in the safety circuit. An additional fault could cause the whole safety gate guard to fail to danger. These and similar faults are described by the term fault masking. In the current standards, the maximum diagnostic coverage (DC) that the switch can achieve is restricted, depending on the masking probability.
4-12
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
4.2 Guards
The occurrence of this type of masking should be taken into account on mechanical switches and magnetic proximity switches alike. Only switches with internal diagnostics and an OSSD output, as commonly found on RFID based switches, are unaffected by this. Mechanical switches In this context, the question also arises as to the need for mechanical redundancy and the number of independent switches on a safety gate. When installed correctly, magnetically operated and RFID proximity switches are often designed so that a single mechanical fault does not lead to the loss of the safety function; however, on mechanically operated switches (reed or roller switches), particular attention needs to be paid to the singlechannel mechanical actuator. The documentation for the switch should always be checked carefully to establish whether the switch itself has any assured properties and if so, which. This is particularly important when a dual-channel electrical switching element is present. If not explicitly confirmed by the switch manufacturer under intended use, fault exclusions for the mechanical part of these switches must be justified by the user. This is often very difficult if not impossible to achieve, as it is difficult to estimate the effects of wear, vibration, corrosion, inappropriate mechanical stress, for example. In cases such as these, to achieve PL d or PL e you should either use two mechanical gate switches per gate, one dual-channel magnetic switch or one RFID switch with OSSD output.
In practice, a single switch pair that is evaluated by a safety relay can achieve a DC = 99%. Based on this premise, in the current draft of EN ISO 14119, the maximum DC for a group of interlinked switches is stated based on the number of switches connected in series and their frequency of operation. As you can see in the table below, masking restricts the maximum achievable DC, and as a direct result, the achievable PL. If a series of interlinked switches is required to meet PL e, a technical solution is available using switches with integrated fault detection. As masking cannot occur in this case, it is possible to have interlinked switches without restricting the DC or PL.
DC for guard limited to Low (60 %) Low (60 %) None (<60 %) None (<60 %)
Maximum achievable PL PL d PL d PL c PL c
2 to 4 >4 -
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-13
Chapter 4 Safeguards
4.2 Guards
Assessment of magnetic switches One problem has proved to be critical when using magnetically operated gate switches (with reed contacts). If pairs of switches and safety relays are used and their mutual suitability has not been tested by the manufacturer, the machine builder must ensure that peak currents within the switch do not cause premature wear. This mainly affects pairs of reed switches with relay-based safety units. For the assessment it is necessary to calculate the maximum occurring peak current IS (see Formula 1) and to compare this with the permitted peak current of the switch ISmax. All switches in series connections must be considered, which is why the lowest of all the permitted peak currents must be greater than or equal to the maximum switching current (see Formula 1).
RSmin(i) ISmax(i) UPmax RPmin IS Minimum internal resistance of switch i Maximum permitted peak current of switch i Maximum voltage Minimum internal resistance of safety relay Maximum switching current
There is another new factor to consider from ISO 13855 relating to the consideration of switches on movable guards. This involves a potential hazard which might arise when a gate in a safety fence can be opened to such an extent that a person can access the danger zone through the opening without the corresponding gate switch receiving a signal change. This is more of a theoretical hazard but it can be averted by increasing the safety distance proportionate to the size of the undetected gate opening. In practice, the problem should never arise in the first place with the installation of a door switch that has been selected and fitted to meet the requirements of the situation. In this respect, the actual safety distance between the gate and site of the hazard is of greater practical relevance. Here, the question arises as to what happens when the safety gate in a safety fence is opened and a person enters the danger zone but the machine is still running down or braking. In this case, the relevant danger zones can still be reached if the person approaches at sufficient speed and the machine has a correspondingly long braking time. This situation has so far not been resolved by standards and pragmatic approaches have tended to dominate. According to the standard, the calculation for the use of light curtains can be used in this case. Safety distance S is calculated as S = (K x T). K is the walking speed of the person of 1,600 mm/s and T is the time from the triggering of the gate switch to the machine stopping (i.e. safe status is achieved). The time that it takes to open the gate may be deducted. This can be identified either by considering how long this may take in theory or by timing it in practice, as no standard values are provided.
IS =
Formula 1
Formula 2
The problem of premature wear does not normally occur on mechanically operated switches and switches with OSSD output because wear on these switches is primarily determined via the average current and the thermal behaviour.
4-14
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-15
Chapter 4 Safeguards
Beam heights in mm 300, 600, 900, 1 200 300, 700, 1 100 400, 900 750
If the ESPEs form horizontal or inclined protected fields above an accessible area which requires safeguarding, the fields must be positioned at a minimum height, as pre-determined by the application and ESPE. Here too, the safety distance between the outer edge of the protected field and the danger point to be safeguarded should be such that the possibility of injuries resulting from the hazardous movement in the danger zone is excluded, bearing in mind the machines stopping performance.
4-16
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-17
Chapter 4 Safeguards
4-18
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
PNOZ e4.1p
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-19
Chapter 4 Safeguards
Requirements EN 574 Clause Use of both hands Release of either actuator initiates the cessation of the output signal Prevention of accidental operation Protective effect shall not be easily defeated Re-initiation of output signal only when both actuators are released Output signal only after synchronous actuation within max. 500 ms Use of category 1 in accordance with EN 954-1 Use of category 3 in accordance with EN 954-1 Use of category 4 in accordance with EN 954-1 5.1 5.2 5.4 5.5 5.6 5.7 6.2 6.3 6.4
Types I II A
III B
P2HZ X4P
4-20
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
External drive monitoring through the PNOZmulti safety system with speed monitoring.
If an unintended movement such as this is unacceptable, safe drive technology must be used, which will prevent such faulty behaviour from the start (see also Chapter 7: Safe motion control).
Drive-integrated safety.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-21
Chapter 4 Safeguards
4-22
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-23
Chapter 4 Safeguards
4-24
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
Risk Unprotected Interlock all or nothing leads to manipulation! Work under special conditions and accepted risks Gain in safety
Residual risk
Normal mode
Special mode
Operation
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-25
Chapter 4 Safeguards
4-26
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-27
Chapter 4 Safeguards
without tools
with tools
Once opened, the machine may only be set in motion under certain conditions, e.g.: with two-hand circuit, in jog mode, at reduced operating speed
Before opening: Operate main switch, secure switch with lock, attach warning sign
4-28
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 4 Safeguards
Safeguard is opened
Secure
Where safeguards are opened as a condition of operation or more frequently (for example: at least once per shift), this must be possible without using tools. Where there are hazardous situations, use of an interlock or guard locking device must be guaranteed. Further protective measures must be adjusted to suit the resulting risk and the drive/ technological conditions, to ensure that the activities which need to be carried out while the safeguards are open can be performed at an acceptable level of risk. This procedure conforms to the EC Machinery Directive. It allows work to be carried out while the safeguards are open as a special operating mode and gives this practice a legal basis. 4.4.5 Conclusion
Just some final words in conclusion for all designers: Designing interlocks so that absolutely no movement of the machine or subsections is possible once the safeguard has been opened actually encourages the type of conduct which is contrary to safety and, ultimately, leads to accidents. Nevertheless, it is the causes you have to combat, not the people. If a machine does not operate as intended, users will feel they have no choice but to intervene. In all probability, the machine will reciprocate some time with an accident. Which is not actually what is was designed to do!
Avoid hazards
Yes Restriction?
Secure hazards
&
No Indicate hazards
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4-29
Chapter 5 Contents
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-1
Safety functions for all requirements. Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2008-11 Pilz GmbH & Co. KG, 2012 5-3
5-4
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Ch. 2
UB
K2
K1
K2 K3 K1 K3 K2 K1
K1
K2
K3
C1
K3
S33
S34
14
24
34
42
ON button
Ch. 1
E-STOP button
+
Ch. 2
Short circuit in E-STOP pushbutton
Feedback loop
UB
S11
S12
S22
Y1
Y2
K2
K1
K2 K3 K1 K3 K2 K1
K1
K2
K3
C1
K3
S33
S34
14
24
34
42
ON button
Structure and function of a safety relay. Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2008-11 Pilz GmbH & Co. KG, 2012 5-5
Electronic safety relays can be expanded in the simplest way possible. Whether you use additional contact blocks or function modules: Adapting to the specific requirements of the respective plant or machine is a simple, straightforward process, with contacts expanded via connectors. With just a single base unit, plus additional expansion units if required, users can fully implement all the classic functions.
5-6
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
&
1 1
>=1
1 1
&
1
Wiring example
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-7
The diagram shows that implementation via contact-based devices produces a result which is not entirely comprehensible; it is also very cost intensive due to the vast amount of wiring involved. In recognition of this fact, consideration almost inevitably turned to a simpler form of implementation, using logic connections between the safety relays. Thus started the development of a new type of device with integrated connection logic.
&
Input
Input
Output
Output
5-8
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-9
2 4 II 3 GD E Ex nA II (T4) 1 3 5
1 2
Conforms to the standards EEX (EU), AEX (USA) Explosion-proof equipment Ignition protection Gas group Temperature class
3 4 5
5-10
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-11
The parameters available in the Configure Function Element window (see illustration) essentially mirror the familiar functions from the safety relays. They no longer have to be set laboriously on the device or be selected via jumpers; with the parameter tool everything operates in the simplest way possible. Users will find all the useful, proven elements from the world of the classic safety relays, just represented in a different format. This new configuration method has another quite simple, safety-related benefit: Once the configuration has been selected, it cannot easily be modified by unauthorised persons via screwdriver or device selector switch.
Simple configuration of the required input and output modules, plus the availability of special modules for speed or analogue processing, enable the user to create a safety system that suits his own individual needs. Functions can be added or adapted later with relative ease. The user simply selects these modules from a hardware list and then creates the necessary logic functions.
5-12
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-13
Muting phase 2: Muting sensors 1 and 2 operated Light beam device suspended Muting lamp active
5-14
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Muting phase 4: Muting process ended Light beam device reactivated Muting lamp off
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-15
by setting parameters in the user block. Reliable monitoring therefore becomes a reality; all values can be evaluated and further processed. Example: Range monitoring 4 20 mA current loop With range monitoring, the first step is to define the permitted value range. Depending on the selected condition (greater than or less than), the output for threshold value monitoring is set to 0 if the recorded value exceeds or drops below a range limit. 2 range limits are to be defined in this example: I < 3 mA monitors for open circuit and I > 21 mA monitors for encoder error
Error if Condition R1 R2 < > Value 3 mA 21 mA Open circuit Encoder error Comment
2 0 mA
8 10 12 14 16 18 20 22 24 25.59 mA
Example: Monitoring the position of a control valve via range monitoring Control valves in process technology, e.g. to control flow rates, are generally controlled in analogue; feedback on the valve position is also analogue. Without safe analogue processing, until now, only special switches have been able to evaluate position signals from valves. The new technology allows you to set as many valve positions as you like and to monitor compliance, safety and reliably.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
PII
PII
DPR
Channel
Channel
PIO
PIO
&
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-17
5-18
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
23
33
41
14
24
34
42
B2 A2
Enable operating principle, with safety relay or safety control system. Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2008-11 Pilz GmbH & Co. KG, 2012 5-19
SB Address 0 x10 9 6 x1 9 6
SafetyBUS p
0 3
O0 I0 O1 I1 O2 I2 O3 I3 O4 I4 O5 I5 O6 I6 O7 I7
T0 T0 T1 T1 1... X5 ...4
SB active
Device
O0 I0 O1 I1 O2 I2 O3 I3 1... X6 ...8
O4 I4 O5 I5 O6 I6 O7 I7 1... X7 ...8
X0 1...PowerX1...4 1...
Ground X2
...8
1...
Load Supply X3
...8
1...
X4
...8
ST outputs ST inputs
FS outputs FS inputs
SB Address 0 x10 9 6 x1 9 6
SafetyBUS p
0 3
O0 I0 O1 I1 O2 I2 O3 I3 O4 I4 O5 I5 O6 I6 O7 I7
T0 T0 T1 T1 1... X5 ...4
SB active
Device
O0 I0 O1 I1 O2 I2 O3 I3 1... X6 ...8
O4 I4 O5 I5 O6 I6 O7 I7 1... X7 ...8
X0 1...PowerX1...4 1...
Ground X2
...8
1...
Load Supply X3
...8
1...
X4
...8
SafetyBUS p
Outputs
Classic: & on control system
Circuit diagram for the enable principle. 5-20 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2008-11 Pilz GmbH & Co. KG, 2012
Standard (ST)
Failsafe (FS)
ST outputs
FS outputs
ST inputs
OFF
ADDRESS
FS inputs
Err Err Err Err Err 24V Err Err Err Err Err FS0 Err Err FS1 FS0 FS1 Err Err
ON -64 32 16 8 4 2 1
x10
0 3 6
Usb SB
Dev 5V I/O
Err
24V
SB ADDRESS
x1
0 3 6
PSSu H SB DP PROFIBUS DP
Run BF
PSSu E F PS1
PSSu E S 4DI
11 14
21 24
PSSu E S 4DI
11 14
21 24
11
21
11
21
SW
PSSu E F BSW
PSSu E S 2DO 2
PSSu E S 2DO 2
11 14
21 24
11 14
21 24
11
21
11
21
PSSu E F PS-P
11
21
11
21
PSSu E S 2DO 2
PSSu E S 2DO 2
PSSu E F 2DO 2
PSSu E F 2DO 2
PSSu E F 4DI
11 14
21 24
PSSu E F 4DI
11 14
21 24
SafetyBUS p
11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
USB
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
Standard (ST)
Outputs
Extending the enable principle. Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2008-11 Pilz GmbH & Co. KG, 2012 5-21
23
33
41
14
24
34
42
B2 A2
Software di congurazione per la famiglia di sistemi PMI Licenza completa Numero dordine: 310 400 Software de conguracin para la familia de sistemas PMI Licencia completa Nmero de pedido: 310 400 Logiciel de configuration pour la gamme PMI Licence complte Rfrence : 310 400
PMI-PRO
Conguration software for the PMI-Range Full licence Order Number: 310 400 Kongurationssoftware fr die Systemfamilie PMI Vollizenz Bestellnummer: 310 400
PNOZmulti Congurator
Baugruppennummer: 100 544-17 CD-ROM Version 5.50 SP7 PilzEnglish/Deutsch/Franais/ GmbH & Co. KG, 2008
Espaol/Italiano
5-22
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Performance/quality
Maximum
Adequate
Minimum Effort/costs
Earliest Duration
However, excellent support during the engineering phase, through an appropriate programming model, a user-friendly programming environment and an extensive library, can lead to higher quality in shorter time and at a lower overall cost.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-23
5-24
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Module A
Module B
Module C
Module A
OFF ON -64 32 16 8 4 2 1
ADDRESS
ADDRESS
ADDRESS
9 6
9 6
9 6
ADDRESS
x10
Usb SB
Dev 5V I/O
Err 24V
Err
Err
Err
Err
Err 24V
SB ADDRESS
x1
OFF ON -64 32 16 8 4 2 1
x10
Usb SB
Dev 5V I/O
Err 24V
Err
Err
Err
Err
Err 24V
SB ADDRESS
x1
OFF ON -64 32 16 8 4 2 1
x1 0
Usb SB
Dev 5V I/O
Err
24V
Err
Err
Err
Err
Err 24V
SB ADDRESS
x1
OFF ON -64 32 16 8 4 2 1
x1 0
0 3 6
Usb SB
Dev 5V I/O
Err
24V
Err
Err
Err
Err
Err 24V
SB ADDRESS
x1
0 3 6
0 3 6
0 3 6
0 3 6
PSSu H SB DP PROFIBUS DP
Run BF
PSSu E F PS1
11 14
PSSu E S 4DI
21 11 24 14
PSSu E S 4DI
21 11 24
21
11
21
SW
PSSu E F BSW PROFIBUS DP PSSu H SB DP
PSSu E S 2DO 2
PSSu E S 2DO 2
Run BF
PSSu E F PS1
11 14
PSSu E S 4DI
21 11 24 14
PSSu E S 4DI
21 24
11
21
11
21
SW
PSSu E F BSW PROFIBUS DP
PSSu E S 2DO 2
PSSu E S 2DO 2
PSSu H SB DP
Run BF
PSSu E F PS1
PSSu E S 4DI
11 14
21 24
PSSu E S 4DI
11 14
21 24
11
21 11
21
SW
PSSu E F BSW PROFIBUS DP
PSSu E S 2DO 2
PSSu E S 2DO 2
PSSu H SB DP
Run BF
PSSu E F PS1
11 14
PSSu E S 4DI
21 24
PSSu E S 4DI
11 14
21 24
11
21 11
21
SW
PSSu E F BSW
PSSu E S 2DO 2
PSSu E S 2DO 2
SafetyBUS p
11 21 11 21 11 21 11 21 11 21 11 21 11 21
SafetyBUS p
11 21 11 21 11 21 11 21 11 21 11 21 11 21
SafetyBUS p
11 21 11 21 11 21 11 21 11 21 11 21 11 21
SafetyBUS p
11 21 11 21 11 21 11 21 11 21 11 21 11 21
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22 12
22
12
22 12
22 12
22 12
22
12
22
12
22
12
22
12
22 12
22 12
22 12
22
12
22 12
22
12
22
USB
13
23
13
23
13
23
13
23
13
23
13
23
13
23
USB
13
23
13
23
13
23
13
23
13
23
13
23 13
23
USB
13
23 13
23 13
23 13
23
13
23
13
23
13
23
USB
13
23 13
23 13
23 13
23
13
23 13
23
13
23
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24 14
24
14
24 14
24 14
24 14
24
14
24
14
24
14
24
14
24 14
24 14
24 14
24
14
24 14
24
14
24
Module Type A
Module Type B
Module Type C
Module Type C
Module Type A
Whatever can be decomposed mechanically can also be decomposed into single parts or components with regard to automation. A components-based approach must not be limited to individual stations (such as Modules A to C in the diagram, for example), but must extend right down to the individual function units (known as mechatronic units). Future applications will be implemented much more effectively if comprehensive libraries can provide these units as reusable component blocks.
Even when division into modules and mechatronic units makes sense, its important not to lose sight of the overall picture: Programming models which keep the units together and represent them as a whole are a much greater benefit to customers than those that merely provide components with interfaces and ultimately expect the user to look after these interfaces.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-25
5-26
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Slide stroke without servo mode Slide stroke with servo pendulum mode 0
The graphic examples are intended to show that in future, safety technology will need to make wideranging calculations in order to meet the specified requirements. Safety control systems must be able to record, process and output complex measured variables. The necessary means to do this are significantly different to anything currently available. It involves not only the sensors and actuators, but above all the processing logic functions, for which simple instruction sets are no longer sufficient due to the increased requirements. To summarise, plant and machine processes are becoming more complex and dynamic due to the demands that are placed on them. Safety technology of the future must take these changed requirements into account.
Safety function in accordance with EN 13849-1 with sensor, logic and actuator.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-27
5-28
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
PNOZmulti
SAFEBOOL
PASmulti
SAFEBOOL SAFEBYTE SAFEWORD SAFEDWORD SAFESINT SAFEINT SAFEDINT SAFEUSINT SAFEUINT SAFEUDINT
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-29
Layer 3
Layer 3
Layer 2
Layer 1
5-30
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-31
5-32
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Static safety
Static and dynamic safety.
Dynamic safety
How does this affect developments in safety technology? Dynamic safety needs the control function to dovetail closely with safety. Thats why its necessary to think more in terms of systems. If subfunctions are to fit seamlessly together, functions cannot simply be superimposed, they must be an integral part of the overall system. Developments in the control technology sector have already seen functions executed across device boundaries; similar developments will also become established in safety technology. Ultimately, the challenge lies in integrating the functions into the overall system. With highly complex dynamic tasks, insular solutions will generate no added value.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5-33
Safe communication
Chapter 6 Content
6 Safe communication
Chapter 6 6.1 6.1.1 6.1.2 6.1.3 6.2 6.2.1 6.2 2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.3 6.3.1 6.3.2 6.3.3 6.3.4 6.3.5 6.3.6 6.3.7 6.3.8 6.3.9 6.3.10 Content Safe communication Basic principles of safety-related communication Principle of decentralised safety technology Handling communication errors Principle of redundancy Safe fieldbus communication with SafetyBUS p System description SafetyBUS p Security measures Technical details Separation of safety-related and standard communication Certification Diagnostics Communication media Industries, applications Safe Ethernet communication with SafetyNET p Why Ethernet in automation technology? System description SafetyNET p UDP/IP-based communication with RTFN Hard real-time communication with RTFL CANopen application layer Safe communication via SafetyNET p Safe communication in the OSI reference model Safe telegram structure Safe communication in distributed control systems Application example of a modular machine design Page 6-3 6-3 6-3 6-3 6-5 6-6 6-7 6-7 6-8 6-8 6-9 6-9 6-9 6-10 6-13 6-13 6-13 6-15 6-16 6-17 6-18 6-18 6-19 6-19 6-20
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
6-1
6.1.2 Handling communication errors The sections below describe typical errors and measures which may occur when safety-related data is communicated via an industrial communication system, and ways in which these can be handled. 6.1.2.1 Message repetition Malfunctions within the bus subscriber can lead to telegram repetition. Each message is given a sequential number so that repeated messages are detected. The receiver is expecting the sequential number, so it will detect repeated telegrams and initiate appropriate measures.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
6-3
Timeout
Data security
Repetition Loss Insertion Incorrect sequence Message corruption Delay Combining safetyrelated and non-safetyrelated messages
Errors and measures, using SafetyNET p as an example, taken from BIA GS-ET 26.
6-4
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
AP
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
6-5
PSS PWR 24 V 0V 1 X0 3
To next
SB active A
Start
SafetyBUS p A
x10 9
0 3 6
Power 1 2 3 4 1 Supply 2 Supply 3 Ground 4 Ground
SafetyBUS p
Device-Address: I/O-Group: A B
SafetyBUS p B
ST FS
x10 0 9 3 6 x1 9 6
SafetyBUS p B
X1
System
9
x1 9
0 3 6
A B
SafetyBUS p
Device-Address: I/O-Group: A B Bit: ... ...
0 3
PG USER
Menue
Presse 2
ETHERNET
ON OFF
Motor 1 Motor 2 Motor 3 Motor 4
SafetyBUS p A
RT (USER)
I/O - Group B
SB active B
Device B
Supply B
Supply A
Basisdruck
100 90 80 70 60 50 40 30 20 10 0
Presse 3
Motor 1 Motor 2 Motor 3 Motor 4
Basisdruck
100 90 80 70 60 50 40 30 20 10 0
Stopp
Temperatur
Temperatur
STATUS SB
Alarm
A1 B1 C1 D1 A2 B2 C2 D2 A3 B3 C3 D3 A4 B4 C4 D4 S1
network
X0
1...PowerX1...4
1...PowerX2...4
SafetyBUS p 1 SafetyBUS p 0
Wireless multipoint up to 10 km
PSS SB2 3006-3 ETH-2
Wireless optical up to 70 m
PSS PWR 24 V 0V 1 X0 3
ST FS
X1
F-STACK
STOP
PG
USER
ETHERNET
ON OFF
RT (USER)
STATUS SB
SafetyBUS p 1
SafetyBUS p 0
Fibre optical up to 10 km
SafetyBUS p A
x10 9
0 3 6
Power 1 2 3 4 1 Supply 2 Supply 3 Ground 4 Ground
SafetyBUS p
Device-Address: I/O-Group: A B
SafetyBUS p B
x10 9
0 3 6
x1 9
0 3 6
A B
SafetyBUS p
Device-Address: I/O-Group: A B Bit: ... ...
x1 9
0 3 6
SafetyBUS p A
SafetyBUS p B
Supply B
Device B
X0
1...PowerX1...4
1...PowerX2...4
I/O - Group B
I/O - Group A
SB active B
Device A
SB active A
Supply A
x10
0 3 6
Usb SB
Dev 5V I/O
Err 24V
Err
Err
24V
FS0 FS2
FS0 FS2
SB ADDRESS 0 x1 9 3 6 6
PSSu H SB DP
Run BF
PSSu E F PS
PSSu E F 4DI
11 14
21 24
SW
PSSu E F BSW
11 14
21 24
11
21
PSSu E F PS1
PSSu E F 2DO 2
11 14
21 24
11
21
PSSu E F 2DO 2
SafetyBUS p
11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21 11 21
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
12
22
USB
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
13
23
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
14
24
SAFE
POWER ON
RECEIVER
EMITTER
6-6
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
CAN telegram
11 bit Identier
6 bit DLC
16 bit CRC
1 bit ACK
Detects
- Corruption
SafetyBUS p telegram
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
6-7
6-8
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
6-9
6-10
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
6-11
6.2.8.2 Airports Airports contain baggage handling and conveying technology applications in which long distances have to be covered. Safety-related equipment such as E-STOP pushbuttons and grab wires are distributed across the whole route. SafetyBUS p collects the safety-related signals and makes them available to the safety control system, which shuts down the drives safely if necessary.
6.2.8.3 Passenger transportation SafetyBUS p is also used for communication on cable cars: Safety-related signals are exchanged between the mountain and valley stations and signals are collected en route. Wireless or fibreoptic communication is used to cover the long distances.
6-12
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
6-13
PC
PC
Server
PC
PC
Machine communication RTFL/RTFN SafetyBUS p Drive bus RTFL Sensor/actuator level SafetyBUS p
Machine 3
Drive controller PLC PLC PLC PLC PLC I/O PLC PLC Drive RTFL real-time RTFL real-time
RTFN
RTFL
6-14
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Precision Time
Domain Name
Download
Internet
Protocol
System
RTFN
Application
File
OSI
Layer
Presentation
HTTP
FTP
SMTP
PTP
DNS
Session
Transport
TCP
UDP
Network
IP
Data link
MAC
Physical
PHY
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
RTFL
6-15
Publish
RJ45
RD
OD
OD
OD
Publish Subscribe
RJ45
Publish Subscribe
RJ45 RJ45
Publish Subscribe
RJ45 RJ45
Publish Subscribe
RJ45 RJ45
Subscribe
6-16
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Object directory
Application
Index
Object
. . 6010 h . .
6000 h
Process environment
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
6-17
Application
Safe device pro les Non-safetyrelated objects Safe service data objects UDP IP MSC Acyclical data channel Safe object directory Safe process data objects CDC Cyclical data channel
Application Layer 7
MAC
PHY
6-18
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
6.3.9 Safe communication in distributed control systems The publisher/subscriber communication principle is used universally on SafetyNET p. To enable the publisher/subscriber approach to also be used for safe communication, some new security mechanisms have been developed for SafetyNET p. For example, telegram delays can be managed by a runtime measurement initiated by the receiver. The advantage over previous standard solutions is that the transmitter of the message does not need to know the receiver. So the publisher/ subscriber approach can also be applied in safety technology, which enables distributed, safe control systems.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
6-19
6-20
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Safe motion
Chapter 7 Contents
7 Safe motion
Chapter 7 7.1 7.2 7.2.1 7.2.2 7.2 3 7.3 7.4 7.4.1 7.4.2 7.5 7.5.1 7.5.2 7.5.3 7.5.4 7.5.5 7.5.6 7.5.7 7.6 7.6.1 7.6.2 Contents Safe motion Definition of safe motion Basic principle Safe isolation of the motor from the energy supply Safe motion monitoring Safe limit value specification Standard EN 61800-5-2 Safety functions Stop functions and their standard reference Safety functions in accordance with EN 61800-5-2 System examination Drive electronics Motor Safe logic Safe braking Motion monitoring Motion control Implementation examples Examples of safe motion Performance level of safety functions Reaction times of safety functions Page 7-3 7-3 7-4 7-4 7-6 7-9 7-10 7-12 7-12 7-12 7-22 7-23 7-24 7-24 7-25 7-25 7-26 7-26 7-28 7-28 7-42
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-1
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-3
Motor
The following details refer to three-phase drive systems, as currently used in an industrial environment. To apply them to other actuator systems (e.g. DC drives, servo valves, ) is only possible under certain conditions and needs to be examined separately.
7.2.1 Safe isolation of the motor from the energy supply Before explaining the different shutdown paths on a converter its necessary to understand the fundamental mode of operation.
Converter
Supply Rectier Intermediate circuit Inverted rectier
Motor
Control system
Reference variables
Control loops
Pulse pattern
Optocouplers
7-4
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Shutdown path
Device Mains contactor Motor contactor Safe pulse disabler Setpoint setting to zero Control enable
Technology Isolation of supply voltage to the converter Isolation of the motor terminal voltage Isolation of the control signals to the power semiconductors Control system does not generate control variables (processor-based) No control signals are generated for the power semiconductors.
1 Mains isolation 2 Motor isolation 3 Drive-integrated isolation 4 Isolation of reference variable 5 Isolation of control variable
Supply
1 4 5 2
Motor
Setpoint specication
Control loops
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-5
7-6
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Encoder signal
Description Initiator signal: generated by scanning a cam or cogwheel, analogue signal with TTL, 24V level. Two analogue signals, 90 out of phase, either square or sinusoidal (level: TTL, 24V, 1Vss). Digital interface, which transmits coded positional information (SSI, fieldbus). Digital motor feedback interface with additional analogue signals (EnDat, Hiperface, BiSS).
Safe digital interface, which transmits coded positional information (SafetyNET p, CANopen Safe, PROFIBUS and PROFINET with PROFIsafe, ...). Standard encoder interfaces
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-7
Two encoders
or
Very high
or
Average
Safe encoder
or or
High
Safe encoder
High
Safe encoder
High
Very high
Encoder systems for safety-related applications. 7-8 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2008-11 Pilz GmbH & Co. KG, 2012
o +
Selectable
Dynamic
Relay-like systems often use constant limit values. For example, a fixed limit value can be defined by setting jumpers or via other setting options on the device. On safe control systems, multiple limit values can be defined via configuration or programming user interfaces. Selection can be made during operation via a safe I/O interconnection, through evaluation of sensor signals or through specification via a safe fieldbus, for example. Dynamic limit values can only be used in conjunction with a powerful, safe control system or a safe bus system with real-time capabilities. When combined with optical monitoring of the protected field in robot applications, for example, safe speed can be reduced based on the distance of the operator from the danger zone: The closer the operator comes to the danger zone, the slower the motors move.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-9
Control loops
Power drive system (PDS) System comprising power equipment (power converter module, AC motor, feed module, ...) and control equipment. The hardware configuration consists of a complete drive module (CDM) plus a motor or motors with sensors, which are mechanically connected to the motor shaft (the driven equipment is not included). PDS/Safety-related (SR) AC power drive system for safety-related applications.
Complete drive module (CDM) Drive system without motor and without a sensor connected mechanically to the motor shaft; it comprises, but is not limited to, the BDM and expansions such as the feed module and auxiliary equipment. Basic drive module (BDM) Drive module consisting of a power converter module, control equipment for speed, torque, current, frequency or voltage and a control system for the power semiconductor components, etc.
7-10
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-11
7.4.2 Safety functions in accordance with EN 61800-5-2 Todays state-of-the-art technology enables stop functions to have a drive-integrated solution. This solution reduces the space requirement in the control cabinet and also the amount of wiring necessary, as additional external components required in the past, such as contactors, are now superfluous. Even additional components to monitor standstill or speed are now surplus to requirements. Servo amplifiers with integrated safety functions in accordance with EN 61800-5-2 are now available, providing much simpler solutions, even for complex safety requirements. The standard EN 61800-5-2 divides safety functions into stop functions and miscellaneous safety functions. The description is only rudimentary and allows a great deal of freedom in how it is implemented and interpreted. This is particularly evident with the stop functions, which are among the most complex of safety functions. The implementation method can vary greatly, but so too can the external behaviour of the safety functions. When the safety functions are operated in practice, subsequent effects can often be attributed to the poor quality of the sensor signals or to the actual behaviour of an electrical drive in general. Poorly tuned control loops and EMC are frequently the cause of restricted availability of safe drive axes. One example of this is the definition of standstill: On a closed loop system, zero speed is more of a theoretical value. Depending on the quality of the control loops, some jitter may be observed around the zero position; if the limit value was set to zero, this would immediately trigger a reaction on account of a limit value violation. The safety function would shut the drive down safely at the expense of system availability. In this case, it helps to define a standstill threshold > 0, where the permitted speed is still non-hazardous. An alternative is to define a position window, from which the motor may not deviate. In this case, even the slightest movements would not lead to a limit value violation.
7-12
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Safe monitoring
Safety gate
Motor
Encoder
Brake
Power element
E-STOP
Motor
Encoder Motion
Safety chain
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-13
7-14
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Description Triggering of the safety function starts an application-specific, safe time delay, after which the power is safely removed from the motor. Motor braking is a function of the non-safety-related drive technology. Should the motor accelerate during this time delay, it will not be detected. The monitored time delay is combined with standstill detection. If the motor reaches standstill before the time delay has elapsed, the STO function will be triggered. Here too, motor acceleration during the time delay will not be detected. A monitored braking ramp provides the highest quality in terms of functional safety. During the braking process, values are continuously compared with a limit value or a permitted drag error. If the limit value is violated, the STO function is triggered.
In many applications, drives cannot simply be shut down because they would then run down slowly, which could cause a hazard. Also, an uncontrolled run down of this type often takes considerably longer than controlled axis braking. The safe stop 1 function (SS1) monitors controlled braking of the axis directly within the servo amplifier. Once the set braking ramp has run its course, the drive is shut down safely. The reaction times are reduced compared with external monitoring solutions; as a result, in many cases the safety distances to the danger points can also be reduced. This provides a number of benefits, such as improved ergonomics for the plant operator, space savings due to the reduced distance between the guards and the danger points and, last but not least, cost savings.
Safe stop1
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-15
Description Triggering the safety function starts an application-specific, safe time delay, after which a safe operating stop is triggered. Motor braking is a function of the non-safety-related drive technology. Should the motor accelerate during this time delay, it will not be detected. The monitored time delay is combined with standstill detection. If the motor reaches standstill before the time delay has elapsed, the safe operating stop will be triggered. Here too, motor acceleration during the time delay will not be detected. A monitored braking ramp provides the highest quality in terms of functional safety. During the braking process, values are continuously compared with a limit value or a permitted drag error. If the limit value is violated, the STO function is triggered, otherwise a safe operating stop will follow.
So what are the benefits of the safe stop 2 (SS2) function? If the axes no longer need to be shut down at standstill, they will actively hold their current position, so the synchronisation between axes and process is no longer lost. As a result, the axes can be restarted immediately at any time, which clearly increases plant availability. Here too, the drive-integrated function leads to shorter reaction times, thereby minimising the risks. The monitoring functions response times have a direct influence on the potential channels available until a safety shutdown occurs. As the reaction times are used in the calculation of the safety distances, the benefits listed for the safe stop 1 function will also apply here.
Safe stop2
7-16
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Safe operating stop (SOS) The safe operating stop (SOS) has already been described with the safe stop2 (SS2) safety function. It monitors the standstill position while the motor is in a controlled loop status. Once the safety function has been lifted, the production or machining process can be continued with no loss of precision. This function is generally used in combination with a safe stop 2 (SS2) function, as standstill monitoring usually involves a braking process. As described above, the limit value can be specified as both a speed threshold and a position window.
Safely limited acceleration (SLA) and Safe acceleration range (SAR) Safety functions relating to acceleration monitoring are not widely used in the current state-of-the-art technology. In servo drive technology, Ferraris sensors are used to detect acceleration only in special applications of machine tools or printing machinery. Standard drives cannot process these signals in their control loops; monitoring of these acceleration signals is very complex in practice.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-17
7-18
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Safe direction (SDI) This prevents the motor from moving in an invalid direction. This safety function is frequently used in combination with safely limited speed (SLS) in setup mode. Here too, the drive-integrated solution enables the fastest possible shutdown.
Safe position monitoring ensures that the motor does not exceed a preset position limit value. If a limit value is violated, the motor is braked using a safe stop. The stopping performance achievable from a technical point of view must be taken into account. Below the limit value there are no restrictions in terms of acceleration or speed of the motor. Absolute position detection is required for this safety function. Absolute encoders may be used or relative measuring systems may be combined with a safe reference run. Safely limited increment (SLI) The motor is allowed to travel a permitted distance following a start command. A safe stop function must be triggered once the limit value is reached. If the permitted distance is exceeded, this must be detected and the drive must be safely brought to a standstill. Encoder systems with relative measurement are sufficient for this safety function.
Safe cam (SCA) A safe output signal indicates whether the motor is positioned inside a specified range. These ranges are absolute position windows within a motor rotation. The basic function involves safe monitoring of absolute positions, which is why appropriate sensor systems must be used. Safe speed monitoring (SSM) The safe speed monitoring safety function (SSM) is very closely related to safely limited speed (SLS). However, if a limit value is violated there is no functional reaction from the components that are monitored, merely a safe message which can be evaluated and processed by a higher level safety control system. On one side the control system can perform more complex reaction functions, while on the other, the safety function can be used for process monitoring.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-19
Safe brake test (SBT) Using the safe brake test (SBT) function can significantly increase safety. In many cases, simply controlling a holding brake safely is not enough to make a vertical axis safe. If the wearing, mechanical part of the brake is not maintained regularly, it cannot be guaranteed that the holding brake will apply the designated braking action in the event of danger. The safe brake test (SBT) function provides an automatic test which replaces previous measures that could only be implemented through organisational and manual operations; if the result is negative, it can bring the plant to a standstill and signal an error. This reduces maintenance work considerably.
Safe brake control (SBC) Safe brake control (SBC) supplies a safe output signal to drive an external mechanical brake. The brakes used must be safety brakes, in which a quiescent current operates against a spring. If the current flow is interrupted, the brake will engage. Control modules frequently include a power reduction feature when the brake is released to reduce energy consumption or brake heating. A safe brake test may be required to detect errors during operation, depending on the risk analysis. Holding brakes and service brakes are often used on axes with suspended loads. Along with the brake, the brake drive is another key component in terms of the safety function. The safe brake
7-20
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-21
Principles/specifications
Parameters/criteria
Concept/solution
No. of axes
Type of movement Encoder systems Machine design/ functionality Drive technology Interfaces/ communication
Ability to modify limit values Safe drive functions Risk assessment B standards C standards Safety integrity
General requirements
Drive electronics
7-22
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-23
7-24
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-25
system via fieldbus or drive bus. The classic allocation between the control systems depends on the required movement.
Safe motion monitoring Drive-integrated or external monitoring of single axis Limit value and monitoring must be examined for each drive axis. The status conditions of the individual axes are evaluated in central, safe logic. Safe, central calculation of the current position from the position of the individual axes.
NC or RC control system
7.5.7 Implementation examples Servo converters with drive-integrated motion monitoring and safe pulse disabler for shutdown Sensor evaluation is undertaken, for example, by a small, safety-related control system, which activates the safety functions in the drive via a safe I/O interconnection. The servo motor has an integrated sine/cosine motor encoder for motor control and positioning. The reaction time before the safety function is activated is around 60 ms, the reaction time when limit values are violated is <10 ms.
7-26
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-27
7-28
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
PLlow = PL e
The block diagram shows the logical structure of the safety function, comprising the series alignment of the safety-related subcircuits.
Determination of the performance level for the overall circuit EN ISO 13849-1: Table 11 Calculation of PL for series connection of SRP/CS
PLlow a b c d e Nlow >3 3 >2 2 >2 2 >3 3 >3 3 PL None, not allowed a a b b c c d d e
Note: The values calculated for this look-up table are based on reliability values at the mid-point for each PL. In the example of the safe stop function, all three components involved have performance level e. As a result, the lowest performance level of a safety-related subcircuit (SRP/CS) is also PL e. Using the standards terminology, therefore, we have:
3 x SRP/CS each with PL e The lowest performance level of the 3 subcircuits (SRP/CS) = PL e and is assigned the parameter PLlow The lowest performance level occurs in 3 subcircuits and so the parameter Nlow = 3 If you apply this information to Table11 of the standard, the result for the example is an overall classification of PL e.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-29
7-30
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
PLlow = PL e
The block diagram shows the logical structure of the safety function, consisting of the series alignment of the safety-related subcircuits.
Determination of the performance level for the holding brake Here the user of EN ISO 13849-1 is confronted with one of the positive approaches of this standard. The standard not only enables examination of the electrical part of the safety function, but also of the mechanical, hydraulic and pneumatic section. However, the holding brake used in this example does not have a performance level, as this is only available for intelligent components. The brake manufacturer can only provide a B10d value, as he does not know how exactly his components will be used in the application and so can only make a statement regarding the number of operations before a component failure. The design engineer constructing the safety-related part of the control system must now calculate the time to a dangerous failure of the component. The B10d value is not the only consideration in this calculation; the mean time between two consecutive cycles is also a key factor which influences the MTTFd value.
B10d 0.1 x nop
The following assumptions are made, based on the application of the component: hop is the mean operating time in hours per day dop is the mean operating time in days per year tcycle is the mean time between the start of two consecutive cycles of the component (e.g. switching a valve) in seconds per cycle Assuming that the calculation of the MTTFd for the holding brake results in a value of > 100 years, this gives an MTTFd classification of HIGH. EN ISO 13849-1 provides a graph to make it easier to determine the performance level. To decipher the performance level from this graph the diagnostic coverage DC is required. To determine the level of diagnostic coverage it is important to know whether every conceivable error can be detected through tests. Based on this consideration, a high classification will be possible if a safe converter is used to drive the motor and the holding brake is always tested automatically before the danger zone is accessed. To do this, a torque is established with a factor of 1.3 to the brakes rated holding torque, before waiting for at least one second. If the axis holds its position during the whole test, it can be assumed that the holding brake is in good working order. On this basis, it is possible to define the diagnostic coverage at 99%.
MTTFd =
nop =
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-31
If this information is applied to Table 11 of EN ISO 13849-1 for a simplified calculation, the result for the example is an overall classification of PL d. Unlike the example for the safe stop function (without brake), a reduction factor now applies: In accordance with EN/ISO 13849-1, the achieved performance level is reduced by one level if the overall circuit contains more than three subcircuits with PLlow. However, in this case, a detailed calculation using the achieved PFHD values can certainly result in PL e. This is where software tools such as the PAScal Safety Calculator come into their own.
So we now have the following data: Category = 4 MTTFd = high DC = high If this data is applied to the graphic, PL e can be determined. Determination of the performance level for the overall circuit In the illustrated example of the safe stop function on a servo axis with holding brake, all four components involved have performance level e. As a result, the lowest performance level of a subcircuit (SRP/CS) is also PL e. Using the standards terminology, therefore, we have: 4 x SRP/CS each with PL e The lowest performance level of the 4 subcircuits (SRP/CS) = PL e and is assigned the parameter PLlow The lowest performance level occurs in 4 subcircuits and so the parameter Nlow = 4
Safety Calculator PAScal
7-32
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
PLlow = PL e
The block diagram shows the logical structure of the safety function, consisting of the series alignment of the safety-related subcircuits.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-33
Assumptions: B10d = 100,000 hop = 16h/day dop = 220d/year Calculation MTTFd: tCycle = 5 s MTTFd = 0.395 years tCycle = 3,600 s MTTFd = 284.1 years As shown in the example with cyclical operation in 5 s intervals, even in the best case it is only possible to achieve PL c with a B10d value of 100,000. This demonstrates very clearly that the application range for wearing components has a direct influence on the calculation of the performance level and therefore affects the achievable safety level. The design engineer must therefore look very closely at the application range of his components in the respective application. Even if EN ISO 13849-1 states 100,000 cycles for B10d, there may well be special components with a higher B10d value. If an application uses a pushbutton as an E-STOP command device, it will certainly not be operated constantly at 5 second intervals. The situation is completely different if a pushbutton is used as a command device for cyclic initiation of a machine cycle and has to trigger a safe stop once released. The values stated in the example may cause a problem if a higher performance level is required.
MTTFd =
nop =
The following assumptions are made, based on the application of the component: hop is the mean operating time in hours per day dop is the mean operating time in days per year tcycle is the mean time between the start of two consecutive cycles of the component (e.g. switching a valve) in seconds per cycle
7-34
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
PLlow = PL e
The block diagram shows the logical structure of the safety function, consisting of the series alignment of the safety-related subcircuits (SRP/CS).
In conjunction with light curtains and a muting circuit, the safe direction function (SDI) has a positive effect on safety because the respective direction of the drive axis is monitored during the muting phase and a safe shutdown occurs in the event of an error.
Determination of the performance level for the overall circuit The performance level corresponds to the result from the example of the safe stop function.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-35
7-36
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
A, A B, B
7.6.1.7 External motion monitoring with one standard encoder In this example, one standard rotary encoder as sensor is responsible for motion detection. Various combinations are possible in conjunction with the drive controller. The hazardous function is shut down via an STO function available within the drive. If it is only the monitoring device that evaluates the encoder signals for the safety function, i.e. the drive controller does not use an encoder or only uses a separate encoder, a maximum of performance level PLc can be achieved. This requires an encoder with MTTFd = high and classification as a well-tried component or Category 1, or alternatively direct classification as PLc.
If the monitoring device evaluates the encoder signals while the drive controller for position control uses the same signals simultaneously, a performance level of up to PL d can be achieved. This requires an encoder with MTTFd = medium/high. The drive controller acts as an additional diagnostic instance for the safety function through the appropriate parameterisation and activation of drag error detection (incl. shutdown). A pure frequency converter (FC) without control function cannot be used in this case. The following safety functions are possible with the illustrated configuration: Safely limited speed (SLS) Safe direction (SDI) Safe operating stop (SOS) Safe speed range (SSR) Note: The safety functions that can be realised depend on the monitoring functions implemented in the external monitoring device.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-37
A, A B, B
7.6.1.8 External motion monitoring with standard encoder and proximity switch Generally speaking, two separate sensors for motion detection are required in order to achieve the highest safety level (PL e) with standard sensors. Depending on the external monitoring device, these may be two rotary encoders or, as shown in this example, one rotary encoder and an additional proximity switch. The corresponding values for MTTFd are required for the sensors. This enables the performance level to be calculated for the sensor subsystem, which consists of the encoder and proximity switch; this can then be used to calculate the performance level for the overall safety function. The hazardous function is shut down via an STO function available within the drive. The encoder signals evaluated by the monitoring device for the safety function can also be used by the drive controller for speed and position control. However, this is not absolutely essential for the safety function. The following safety functions are possible with the illustrated configuration: Safely limited speed (SLS) Safe direction (SDI) Safe operating stop (SOS) Safe speed range (SSR) Note: The safety functions that can be realised depend on the monitoring functions implemented in the external monitoring device.
7-38
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7.6.1.9 External motion monitoring with two standard proximity switches Without a rotary encoder, safety-related motion monitoring can still be implemented using standard sensors in the form of proximity switches, even up to the highest safety level (PL e). As in the previous example, two separate proximity switches are required for motion detection. If common cause failures (CCF), due to EMC for example, cannot be excluded or managed on both proximity switches, the use of diverse components from different manufacturers or of different types is recommended. The corresponding values for MTTFd are required for the proximity switches. This enables the performance level to be calculated for the sensor subsystem, which consists of the two proximity switches; this can then be used to calculate the performance level for the overall safety function. The hazardous function is shut down via an STO function available within the drive. The following safety function is possible with the illustrated configuration: Safely limited speed (SLS) Note: The safety functions that can be realised depend on the monitoring functions implemented in the external monitoring device.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-39
A, A B, B Z, Z
7.6.1.10 External motion monitoring with safe encoder Manufacturers are increasingly offering safe encoders for motion monitoring tasks. These devices are designed specifically for use in safety functions and are certified accordingly. As a result, a performance level of PL d or PL e can be achieved, depending on the construction type. This is usually possible with just one encoder, i.e. there is no need for two devices, as is the case when standard components are used. However, safe encoders are not actually safe until they are combined with a safe monitoring device, because there are no diagnostic or feasibility tests implemented within the encoder. The use of safe encoders, therefore, requires detailed knowledge of the requirements for use in safety-related applications, as described by the manufacturer in the operating manual. The monitoring device must be able to meet these requirements exactly by performing the monitoring functions demanded by the device manufacturer.
One test that is often demanded, for example, is the absolute value check for sin/cos encoders: sin+cos=1. If this check is not implemented within a monitoring device, the device cannot be used in combination with a safe encoder that requires such a check. To date there is still no uniform or even standardised interface for safe encoders, so the encoder manufacturers requirements for their products vary enormously. Thats why it is absolutely essential that the safe encoder and safe monitoring device are totally compatible. In this example, the hazardous movement is shut down via the STO function available within the drive. The following safety functions can be implemented with the illustrated configuration: Safely limited speed (SLS) Safe direction (SDI) Safe operating stop (SOS) Safe speed range (SSR) Note: Details of the safety functions that can be realised depend on the monitoring functions implemented in the external monitoring device.
7-40
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Sensing device
FOC
Control unit
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
7-41
PLlow = PL e
Block diagram of the safety functions.
Determination of the performance level for the overall circuit The result is performance level d.
PLlow = PL e
Block diagram of the safety functions.
Several boundary conditions are involved in calculating a safety distance. Determination of the reaction time in the case of external commands If an E-STOP pushbutton acts upon an evaluation device, its reaction time is added to the reaction time of the drive-integrated safety function. It will also be necessary to add the time needed to bring an accelerated axis to standstill: treac = tmulti + tPMC + tramp tmulti = Reaction time of the evaluation device is approx. 20 ms
tPMC = Reaction time of the drive-integrated safety functions to external signals is 6 ms tramp = Ramp time to standstill depends on the moved mass, speed and other applicationdependent data Determination of the reaction time when limit values are violated If a monitoring circuit on a drive-integrated safety function is activated, it will be necessary to add the time needed to bring the accelerated axis to standstill. treac = tPMC + tramp
7-42
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 8 Content
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-1
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-3
Successful product Fulls the technical function Economical to manufacture and in use
Ground rules for designing successful products. 8-4 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2011-11 Pilz GmbH & Co. KG, 2012
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-5
Frequently during normal operation Operating time Stochastic Dangers Seldom and brief
Risk F R=SF
Serious S
Protective options
Context of risk evaluation. 8-6 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2011-11 Pilz GmbH & Co. KG, 2012
Energy
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-7
Dangers
Deterministic
Stochastic
Dangers
Dangers
Operating time
Operating time
Personal injury
8-8
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-9
Kinetic energy
Objects
3 Danger sources due to uncontrolled moving parts: Danger emanates from a specic location. 4 Potential energy Free movement Places where you can fall 5
Inertia forces 8
Basic mechanical hazards. 8-10 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2011-11 Pilz GmbH & Co. KG, 2012
Deterministic
Stochastic
Dangers
Dangers
Operating time
Operating time
Design measures Objective: Eliminate faults that lead to danger Objective: Manage faults that lead to danger
Deterministic methods:
Stochastic methods:
Avoid dangers
Failsafe principle
Warn of dangers
Redundancy principle
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-11
Idea
Development
Product
2 2 1
2 2 3 1
Pressurising medium
Item A 1 2 4
Pressurising medium
8-12
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Unfavourable
Favourable
Check valve
When the hose assembly fails, the medium leaks before the check valve. Tool drops in an uncontrolled manner.
When the hose assembly fails, the controlled check valve prevents the liquid column from breaking. Tool remains above.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-13
Homogeneous
Safety valve
Rupture disc
Diversity in the action principle of the safety device: Switching the action principle makes it unlikely that the independent safety devices, which operate to different principles and are made by different manufacturers, would fail simultaneously.
Diverse (components)
Actuator
Actuator
Diversity in the physical principle: Each of the diverse, controlled valves is activated by the control systems CS1/CS2, which react if a limit value on two process variables connected by a physical law (e.g. general equation of state) are exceeded.
Pressure sensor
Temperature sensor
8-14
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Safety technology methods Safety technology Action principle Diagram Indirect Avoid dangers Direct Secure against dangers Informative Warn against dangers
Machining Observe
Act STOP!
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-15
8.2.3.2.1 Indirect safety technology Methods using indirect safety technology attempt to configure components, machines and processes in such a way that they present no risk, or only a low, accepted risk to people. Geometric and energetic measures are available: Geometric measures attempt to avoid the hazardous effect of danger points on moving machine parts by complying with standardised minimum distances to ensure that dangerous bottlenecks do not even arise, or by making such bottlenecks inaccessible by complying with safety distances. Energetic measures attempt to stop the hazards underlying energy having a harmful effect on people, by:
Limiting the effective energy Interrupting the flow of energy to people Targeted deformation of machine parts rather than the human body The first measure attempts to limit the energies and forces that occur at a danger point, so that their impact remains below acceptable physiological values. Technically, however, such an energy level is generally only of limited use. The second measure prevents harmful impact on people by interrupting the flow of energy or forces towards the human body before the pain threshold is reached. The third measure reduces the rigidity of machine parts to such an extent that, if a danger point is accessed, machine rather than body parts are deformed. Caution is required, however: Indirect safety technology is often portrayed as a silver bullet, but it cannot be applied on danger points with technological functions. Safeguards against these dangers should be provided via special measures such as protective devices, for example.
8-16
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8.2.3.2.2 Direct safety technology Components used in direct safety technology safeguard against dangers that are necessary to the machine function and therefore cannot be avoided. Protective devices are arranged between operator and danger, preventing the two coinciding in time and space. Guards or protective devices are used. Guards, e.g. enclosures or covers, form impenetrable physical barriers and as such protect against entry or access to hazardous situations. They can also prevent operators being hit by objects ejected from the protected areas.
Although protective devices such as two-hand circuits or light beam devices do not prevent entry or access to hazardous situations, they do render them ineffective by influencing the process via the machine control system as soon as they are activated. Ergonomic aspects decide on the manageability and therefore the acceptance of the protective devices. The most important ergonomic requirement is that the demands placed on operators during day-to-day handling of the protective device must be no more than necessary.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-17
7 Safeguards hold back the uncontrolled moving parts, absorb their kinetic energy and stop them reaching people.
Space
y z x
Fixed guard Covers, enclosures, guards When in position, safeguards provide a physical barrier between the danger points and the work/ trafc area. People are unable to reach danger points.
y z
Space and time
Impeding device
Safeguards are kinematically connected to hazardous movements. They positively keep people away from danger zones.
Danger points
Opening the safeguard interrupts the hazardous movement and lifts the physical barrier between the danger point and person. Its safety depends on the reliable function of the safetyrelated parts of the control system. During the hazardous movement, safeguards bind people to a safe location, from which they cannot reach the danger points. If a person should leave the safe location, the hazardous movement is stopped. Safeguards prevent hazards by interrupting hazardous movements as soon as anyone exceeds the safe limits and approaches the danger point.
5
Time Reliable control measures Safeguard with presence sensing
Optoelectronic capacitive sensors, safe edges, pressuresensitive mats, light grids, scanners
Basic types of protective device. 8-18 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2011-11 Pilz GmbH & Co. KG, 2012
1)
Source: Neudrfer A.: Konstruieren sicherheitsgerichteter Produkte [Design of safety-related products], 4th edition, Heidelberg, Berlin, New York et al, Springer, 2011 2011-11 Pilz GmbH & Co. KG, 2012 8-19
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Process
2 Text
Means
3 No. 4 Operating instructions 1
Static
Graphic symbol 3
Safety mark
Visual
Marking
Light signals 6
Active diagrams 7
2
1 3 5 6 4 1 2 3 4 5 6
Main motor Infeed table open Cover open No compressed air Film broken Magazine empty
Dynamic
Aural
Acoustic signals 9
Tactile
Moving objects 10
Evasive safeguard
Means of informative safety technology 8-20 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2011-11 Pilz GmbH & Co. KG, 2012
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-21
Identier DNC-50-500-PPV-A
2 3
4 5
9 10
Pressure gauge
Pressure up
Pressure bar
Pressure gauge
Pressure down
Pressure bar
20 15 10 5
8-22
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
5 4
3 2
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-23
14 14 4 2 14 14 84 5 1 3 14 14 5 1 3 14 14 4 2 84
Control air
8-24
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-25
24V 12 MS6-SV 21 11 22
2 1 3
A1 A2 A12 S22 S34 Y4 Y5 Y32 S21 S11
12
56 8 9
14 24
& &
Controller 1
Controller 2
&
0V GND
8-26
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
1 A1
1 M1
1 M2
0 Z1
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-27
1 V2
1 V3
1 M1 1 V1
The valve does not switch, so the piston rod does not move either. There is no danger. There may be various causes. It may be that voltage is not reaching the valve coil, the valve may be defective. Sometimes the armature in the coil or the piston in the valve may stick. A different type of error occurs if the valve does not switch back. In this case, the piston rod continues to extend or remains extended. On the electrical side, a short may be the reason, or possibly the valve piston is hanging up. In any case, this is a dangerous failure.
8-28
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
1 A1
1 V3
1 V4
1 V1 4
1 V2
1 M1
1 M2
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-29
1 A1
1 V3
1 V4
1 V1 4
1 V2
1 M1 Standard PLC
1 M2
Safety relay 1 M1 1 M2
Interaction between electrical engineering and pneumatics (source: Festo). 8-30 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2011-11 Pilz GmbH & Co. KG, 2012
1A1
12 OM1
OV1 2 1 M1 1 3
14
1V1
E-STOP circuit
Cylinder with clamping cartridge and monostable 5/2 directional valve (source: Festo). Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2011-11 Pilz GmbH & Co. KG, 2012 8-31
1A1 2 1V3 1 12 0M 1 E-STOP circuit 1 3 0V1 2 1M1 12 1 3 12 1V1 2 1M2 12 1 3 12 1V4 1 1V2 2 2
8-32
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
4.0 mm
5.5 mm 9.0 mm
9 mm is faster!
Hose length
Ventilation time based on hose length and diameter at 6bar (600 kPa) (source: Festo).
The ventilation time rises as the length of the hose increases; the increase is more pronounced on thin hoses than on thick ones. The behaviour when venting is the same, so the brakes reaction time depends on the hose. With a long, thin hose, the brake activates later than with a short, thick hose. For this reason, it is always beneficial to locate the shift valve directly on the brake. The brake closes when the pressure drops below approx. 3.5 bar. So when the compressed air drops below the set operating pressure, the brake reacts more quickly. However, care needs to be taken if the machine operator can adjust the operating pressure on the machine himself. If the operating pressure is increased, the venting time will also be extended. The brake will react later, the stopping performance will be longer. Brakes and clamping cartridges are zero fault tolerant, in other words, they can fail. Just like on a car, a brake is subject to constant wear. For this reason, it must be tested at appropriate intervals. For further details on the design and
testing of the brake please refer to the operating manual or consult the manufacturer. 8.3.5 Circuit diagram and operating manual To conclude, some thoughts on pneumatic circuit diagrams: Annex 7 of the Machinery Directive calls for instructions. These instructions should provide all persons working on the machine with all the information necessary to perform their work safely. For maintenance engineers this means access to complete, accurate circuit diagrams that match the machine. They must be able to locate the components they see on the circuit diagram on the machine, otherwise it is impossible to work safely. Connection designations should be included in the circuit diagram; the hose connections should be made accordingly. Components should be identified and the connections named. These markings should be identifiable over the whole of the machines service life. It makes sense for
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-33
8-34
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-35
Symbol m mm cm dm r km cm dm m a ha km cm dm m ml l hl
Relationship 1 m = 0.001 mm 1 mm = 0.1 cm = 0.01 dm = 0.001 m 1 cm = 10 mm = 10,000 m 1 dm = 10 cm = 10 mm = 100,000 m 1 m = 10 dm = 100 cm = 1 000 mm = 1,000,000 m 1 km = 1 000 m = 100,000 cm = 1,000,000 mm 1 cm = 100 mm 1 dm = 100 mm = 10,000 mm 1 mm = 100 dm = 10,000 cm = 1,000,000 mm 1 a = 100 m 1 ha = 100 a = 10,000 m 1 km = 100 ha = 10,000 a = 1,000,000 m 1 cm = 1 000 mm = 1 ml = 0.001 l 1 dm = 1 000 cm = 1,000,000 mm 1 m = 1 000 dm = 1,000,000 cm 1 ml = 0.001 l = 1 cm 1 l = 1 000 ml = 1 dm 1 hl = 100 l = 100 dm
= 0.981 bar
Mass Milligram Gram Kilogram Tonne Megagram mg g kg t Mg 1 mg = 0.001 g 1 g = 1 000 mg 1 kg = 1 000 g = 1,000,000 mg 1 t = 1 000 kg = 1,000,000 g 1 Mg = 1 t
8-36
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-37
8.4.6.4 Force and path transmission The principle of force and path transmission can be best explained using the example of an hydraulic press: In accordance with Pascals law, the pressure generated by the force F1 is transmitted equally to all parts of the fluid and to the area A2. This gives:
S2
F1
F2
S2
In this way, it is possible to illustrate the principle of force transmission: For example, if the area A2 is ten times greater than the area A1 (A2=10*A1), the force F1 will also be transmitted at ten times its value.
When designing hydraulic systems it is necessary to check whether the gravitational pressure is of any notable size compared with the pressures occurring within the system. Generally the gravitational pressure is not of any note because it is often less than the required system pressure.
8-38
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
A1
A2
F1
F2
S1 P2 = P1 A1 A2
Bernoullis equation is a special case derived from the familiar Navier-Stokes equation from fluid mechanics, which apply to three-dimensional viscous flows. The equation for the energy form is:
= const.
8.4.6.10 Flow forms If, for example, the area A1 is twice the size of area A2 ( A1=2*A1), the pressure P1 will be transmitted at double its value. 8.4.6.6 Hydraulic work On the hydraulic press, if piston 1 is moved downwards along the path S1 with the area A1 and force F1, the hydraulic work executed in the process is W1. The hydraulic work executed at piston 2 A2 during this process is W2. 8.4.6.7 Volumetric efficiency factor This takes into account the volumetric losses resulting from leakage flows. The hydraulicmechanical efficiency factor gauges the losses resulting from flow losses and sliding machine parts. Laminar or turbulent flow forms occur in the tubes of hydraulic systems. With a laminar flow, the fluid particles move in orderly, separate layers, which is why we talk of a flow direction. The flow lines run in parallel to the tube axis. With a turbulent flow, the fluid no longer moves in orderly layers. The main axial flow is now superimposed on all points through random longitudinal and transverse movements, that result in a disturbed flow. The flow is thereby mixed. The transition from a laminar to a turbulent flow occurs in straight tubes with a circular cross section when the critical REYNOLDS NUMBER Recrit = 2320
vcrit = Re crit x v d
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-39
is known as Newtons law of friction. stands for the friction shear stress and for the dynamic viscosity of the fluid, which as a property represents a measurement for the internal friction, which makes it more difficult for the fluid particles to move. The energy expended in moving the particles is converted into heat. The definition of the viscosity used in hydraulics:
8.4.6.12 Pressure losses in tubes, fittings and valves When fluid flow is friction-free, the total energy comprising pressure energy, kinetic and potential energy is constant. With real fluid flows (subjected to friction), due to the influence of the viscosity, part of the flow energy is converted into thermal energy, which cannot be utilised technically and is therefore associated with flow loss. Only pressure energy can be affected by losses due to frictional influences. Considerable pressure losses occur in fittings (tube bends, tube branches, extensions, narrowings) due to frictional influences. The calculated resistance coefficient is used for the numeric simulation.
8-40
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Formula symbol/units F p A d = Piston pressure force [N] = Hydraulic pressure [bar] = Piston area [cm] = Piston diameter [cm] = Cylinder efficiency factor
Piston forces
Graphic Equation/equation conversion F = Pe A 10 A Pe F = Pe A 10 F A=d 4 A for circular ring area: A = (D - d ) 4 A Pe F
2 2
Formula symbol/units F = Piston pressure force [N] Pe = Excess pressure on the piston [bar] A = Effective piston area [cm] d = Piston diameter [cm] = Cylinder efficiency factor
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-41
S2
Continuity equation
Graphic Equation/equation conversion Q1 = Q2 Q1 A1 v1 A2 v2 Q2 Q 1 = A1 v1 Q 2 = A2 v2 A1 v1 = A 2 v2 Formula symbol/units Q1,2 = Volume ow rates [cm/s, dm/s, m/s ] A 1,2 = Cross-sectional areas [cm, dm, m] v 1,2 = Flow speeds [cm/s, dm/s, m/s]
Piston speed
Graphic Equation/equation conversion v1 = A1 v1 v2 = Q1 A1 Q2 A2
2
Formula symbol/units v1,2 = Piston speed [cm/s] Q1,2 = Volume flow rate [cm/s] A 1 = Effective piston area (circle) [cm] A 2 = Effective piston area (ring) [cm]
Q1
A1 = d 4 A2 = (D - d ) 4
2 2
A2
v2
Q2
Pressure intensifier
Graphic p2 A2 p1 A1 Equation/equation conversion p1 A 1 = p2 A2 Formula symbol/units p1 A1 p2 A2 = Pressure in the small cylinder [bar] = Piston area [cm] = Pressure on the large cylinder [bar] = Piston area [cm]
8-42
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Directional valve
Actuation force
Tank
Pump
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-43
Load
Load
T B P A
8-44
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pump Tank
M Drive motor
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-45
Limit switch 1
Limit switch 2
Limit switch 3
Limit switch 4
Cylinder 1
Cylinder 2
Circuit diagram for two cylinder control systems with electric valves.
8-46
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
2 Sequence valve 1
Check valve
Directional valve
Circuit diagram for two cylinder control systems with sequence valves.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-47
p A1 A R1
FG1 V1
F1
A2
Directional valves
A R2
V2
F2
Return line
8-48
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Manometer
Variable pump
8.4.16 Differential circuit The rod chamber is constantly under pressure, the piston chamber is connected to a directional valve. This circuit is called a differential circuit because the force acted upon the piston rod is expressed as a ratio of piston area to rod area. The differential circuit is used when the piston must be hydraulically clamped and the pump must be as small as possible. If the piston extends via the directional valve, the fluid dispersed from the ring area will be combined with the pump flow ahead of the directional valve and will be fed back to the piston side of the cylinder. With this circuit, the force exerted by the piston rod is calculated from the product of pressure times rod area.
Piston chamber Directional valve (3/2 valve) Rod chamber
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-49
8-50
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Suction chamber
Discharge chamber
8.4.18 Drive pumps, fixed pumps On fixed pumps, the displacement volume cannot be changed. The principle: The fluid conveyed from the suction side to the discharge side is displaced alternately from the gaps through the interlocking cogs. Advantages: Low-cost standard pump with high efficiency factor, which can be connected to other pumps working to the same principle. Disadvantages: High noise level. Application: In open circuits in industrial applications Internally toothed gear pumps: A driven pinion shaft (1) carries a toothed wheel (2). The principle: The tooth chambers are filled on the suction side, the filler separates the suction and discharge zone on the discharge side. On the discharge side, the oil is displaced through the gear ring. Advantages: Low-noise standard pump with high efficiency factor, which can be connected to other pumps working to the same principle, lower noise level. Disadvantages: More expensive than the traditional gear pump. Application: In open circuits in industrial applications, where quiet running is an important requirement.
2 6 3 1 4 5 7 1 Pinion shaft 2 Gear ring 3 Filler pin 4 Filler 5 Hydrostatic bearing 6 Suction port 7 Discharge port
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-51
Auxiliary spindle
Drive spindle
Suction nozzle
Discharge nozzle
Screw pump
8.4.19 Drive pumps, screw pumps Two spindles driven jointly. The principle: The meshing spindles form oil chambers within the housing, which are moved from the suction to the pressure nozzle as the spindles rotate. Advantages: Pulse-free flow rate, low noise level. Disadvantages: Relatively low efficiency factor due to high volumetric losses, so high oil viscosity is required. Application: In open circuits in industry; for example, on precision machines and in the lift industry. High volume flows.
8-52
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8.4.20 Drive pumps, vane pumps Moving vanes in the slots on the rotor. The principle: The moving vanes located in the slots on the rotor are pressed against the housing wall by centrifugal force and pressure. The cell size increases in conjunction with the suction port and reduces in conjunction with the discharge port. Advantages: Pulse-free flow rate, low noise level, can be flanged to multi-flow pumps. Disadvantages: Low efficiency factor as gear pumps, more sensitive to dirt. Application: In open circuits in industry; for example, on precision machines with low pressure.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-53
8-54
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-55
VDB
RF
LF
8.5.5 Safety-related parts of hydraulic control systems On fluid power systems, any valves that control hazardous movements or conditions should be regarded as safety-related parts of the control system. On hydraulic systems, measures taken within the system to limit pressure (VDB) and to filtrate the hydraulic fluid (RF) should also be taken into account, although these components are not directly control components.
8-56
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-57
DF
VDB
RF
LF
8.5.7 Control systems in accordance with Category 1, Performance Level b In addition to the requirements from Category B, Category 1 control systems must be designed and constructed using well-tried safety principles and well-tried components. Generally well-tried principles are:
Torque/force limitation (reduced pressure) Reduced speed (reduced flow rate) Over-dimensioning Travel limiting jog mode Sufficient positive overlapping in piston valves Positive force (positive mechanical action) Targeted selection of materials and material pairings Expose safety-related springs to at least 10 % above the endurance limit based on 107 duty cycles
8-58
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
WV
VDB
RF
LF
8.5.8 Control systems in accordance with Category 2, Performance Level b In addition to the requirements from Category B and the use of well-tried safety principles, Category 2 control systems must be designed so that their safety functions are checked at suitable intervals by the machine control system. Only one directional valve controls the hazardous movement. The electrical machine control system must test the valves safety function as part of each cycle and on each machine start-up. The failure of a directional valve must not be able to influence the test function. Conversely, if the test function should fail, this must not affect the reliability of the directional valve. Two position switches detect each time the valves sliding piston moves away from its safety-related middle setting. If the machine control system detects a failure in a directional valve, it immediately triggers a machine shutdown.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-59
WV
VDB
RF
LF
The pump drive motor M is switched off by means of a monitored power contactor when the safety function is requested.
8.5.9 Control systems in accordance with Category 3, Performance Level d In addition to the requirements from Category B and the use of well-tried safety principles, Category 3 control systems must be designed so that a single fault never leads to the loss of the safety function. In terms of safety, the hazardous movement is controlled by directional valves that switch as part of each cycle, plus pump drive motors. This circuit is only single fault tolerant if the shutdown of the
pump motor in the event of a valve failure does not cause the cylinders stopping performance to exceed the permitted length. A monitored power contact with appropriate fault detection is responsible for shutting down the pump drive. In this case, the movement of the valves sliding piston away from the safety-related middle setting is not interrogated, but two installed position switches should still detect the change of position. When the machine control system detects the failure of a directional valve, the machine is shut down safely.
8-60
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
WV1
WV2
VDB
RF
LF
8.5.10 Control systems in accordance with Category 4, Performance Level e In addition to the requirements from Category B and the use of well-tried safety principles, Category 4 control systems must be designed so that a single fault does not lead to the loss of the safety function. The objective of safety concepts is for a single fault to be detected at or before the next demand upon the safety function. Two valves control the hazardous movement. Each valve is able to shut down the hazardous movement on its own, so single fault tolerance is provided. Both valves are also equipped with electrical position monitoring. This ensures that all possible single faults are detected early by the control system.
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
8-61
Hazardous movement
WV4
SV WV2
WV1 VDB
WV3
RF
LF
Example of hydraulic circuit (Cat 4, PL e) 8-62 Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de 2011-11 Pilz GmbH & Co. KG, 2012
Appendix
Chapter 9 Contents
9 Appendix
Chapter 9 9.1 9.2 Contents Appendix Index Exclusion of liability Page 9-3 9-3 9-15
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
9-1
Chapter 9 Appendix
9.1 Index
Tags, 0-9 1 Product Liability Act (ProdHaftG) ................... 2-5 3 Product Liability Act (ProdHaftG) ................... 2-5 4 para. 1 clause 2 Product Liability Act (ProdHaftG)........................................................... 2-8 4 Product Liability Act (ProdHaftG) ................... 2-8 823 para. 1 German Civil Code (BGB)........................................2-11, 2-20 1999/5/EC .......................................................... 3-15 2001/95/EC ........................................................ 3-15 2003/10/EC ........................................................ 3-15 2004/108/EC ...................................................... 3-15 2006/42/EC ................................3-5, 3-15, 3-16, 4-4 2006/95/EC ........................................................ 3-15 3 contactor combination ...............................5-3, 5-6 89/686/EEC ........................................................ 3-15 98/37/EC ...................................................3-15, 3-16 factor ............................................................... 3-32 D ....................................................................... 3-33 DD..................................................................... 3-25 Dtotal ................................................................ 3-25 A ABNT NBR/IEC 61058-1 .................................... 3-42 ABNT NBR/IEC 61058-2-1 ................................. 3-42 Absence of feedback ......................................... 5-18 Absolute liability ............................................2-4, 2-5 Absolute pressure .............................................. 8-38 Access ...................3-7, 4-3, 4-4, 4-5, 4-8, 4-9, 4-10, 4-15, 4-17, 4-18, 7-17, 7-31, 7-41 Access .............................................. 4-9, 4-10, 8-17 Access to the danger zone........................4-10, 4-17 Accident insurance law (UVG) ............................ 3-58 Accreditation Directive 765/2008/EC ................. 3-54 Active optoelectronic protective devices ........... 4-15 Activity of a producer ........................................... 2-8 Actuator ...................... 5-3, 5-4, 5-6, 5-23, 6-13, 7-4 Adjustable guards restricting access ................... 4-5 Air bubble cavitation........................................... 8-40 Air springs .................................................8-23, 8-24 Analogue processing .................................5-12, 5-16 Annex I ............................................... 2-7, 3-9, 3-11 Annex II B ............................................................. 3-9 Annex IV ............................................................... 3-9 Annex IX ............................................................. 3-10 Annex VI ............................................................... 3-9 Annex VII ............................................................ 3-10 Annex VIII ........................................................... 3-10 Annex X .............................................................. 3-10 ANSI (American National Standards Institute) ........................ 3-14, 3-41, 3-44 ANSI standards .................................................. 3-41 Anthropometric data .......................................... 3-29 Application area................................ 2-20, 3-6, 3-16, 3-23, 3-30, 3-34 Application blocks ........ 5-11, 5-12, 5-14, 5-15, 5-16 Application layer ............................. 6-14, 6-17, 6-18 Approach speed ............. 3-18, 3-29, 4-7, 4-15, 8-23 Argentine Institute of Standardization and Certification (IRAM) ........... 3-42 AS4024.1 ............................................................ 3-44 Assembled machinery .......................................... 3-7 Assembler....................................................2-8, 2-16 Assembler activity ................................................ 2-8 Assembling ........................................................... 2-8 Assembly instructions .................................3-9, 3-13 Assembly of machines ......................................... 3-6 Assessment ..................... 2-9, 3-25, 3-32, 3-45, 8-5 Assessment procedures ..................................... 3-10 Associao Brasileira ........................................ 3-42 Associao Brasileira de Normas Tcnicas (ABNT)............................... 3-42 Asynchronous motor .................................7-24, 7-27 ATEX ..........................................................2-20, 5-10 Austrian Standards Institute (Norm) ................ 3-17 Authorised representative ...........................3-6, 3-53 Automatic ........................................................... 5-15 Automation technology ................. 5-11, 5-18, 5-24, 5-26, 5-32, 6-7, 6-13 Avoiding danger ................................................. 8-11 Axes.............................. 5-16, 5-32, 7-7, 7-14, 7-16, 7-17, 7-18, 7-20, 7-26, 7-41 B B and C standards ............................................. 7-23 B10d ............................ 3-24, 3-32, 3-46, 7-31, 7-34 Basic Drive Module (BDM) ................................. 7-10 Basic physical knowledge .................................. 8-35 Bernoullis equation ............................................ 8-39 BG ..............................................3-8, 5-11, 5-26, 6-9 BGIA ..........................................................3-32, 4-23 BGIA Dokument GS-ET-26 ................................. 3-22 Block diagram ............. 7-29, 7-31, 7-33, 7-35, 7-42 Block properties ................................................. 5-12 bmwfi .................................................................. 3-56 Body measurements .......................................... 3-18 Bottom-up .......................................................... 3-48 Brake ..........7-20, 7-25, 7-30, 7-31, 8-31, 8-32, 8-33 Brake test ........................................................... 7-20
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
9-3
Chapter 9 Appendix
9.1 Index
Braking ................. 7-15, 7-16, 7-18, 8-1, 8-25, 8-31 Braking ramp .............................................7-15, 7-16 British Standard (BS) .......................................... 3-17 Broken shearpin ................................................. 5-15 Bus scan time ............................................6-13, 6-14 Bus systems ............................5-4, 5-17, 5-18, 5-24, 6-4, 6-5, 6-11, 6-13, 7-9 C Calculation tool .........................................3-23, 3-53 Calibration reports .............................................. 3-57 Camshaft: ....................................... 5-15, 5-27, 5-28 CAN .............................................................6-7, 6-17 CAN communication standard ............................. 6-7 CANopen ......................... 6-9, 6-14, 6-17, 6-18, 7-7 CANopen standard ............................................. 6-17 Category ............ 3-26, 3-27, 7-12, 7-15, 7-32, 7-37, 8-57, 8-58, 8-59, 8-60, 8-61, 8-63 Category ........................ 3-26, 3-27, 4-20, 5-16, 7-6 Category 1, Performance Level b....................... 8-58 Category 2, Performance Level b....................... 8-59 Category 3, Performance Level d....................... 8-60 Category 4, Performance Level e ....................... 8-61 Cause of damage ............................................... 2-19 Cavitation ........................................................... 8-40 Cavitation types.................................................. 8-40 CCC certification ................................................ 3-43 CCF factor .......................................................... 3-25 CCOHS (Canadian Centre for Occupational Health and Safety) .................. 3-41 CDCN ................................................................. 6-18 CE certification process ....................................... 3-7 CE mark ......................................3-5, 3-9, 3-10, 3-14 CE-marking ........................ 2-20, 3-5, 3-6, 3-7, 3-9, 3-11, 3-14, 3-16, 4-22 CEN ...........................................................3-17, 3-27 CENELEC ........................................................... 3-17 Check list of manipulation incentives ................. 4-23 Check valve ............................8-13, 8-28, 8-32, 8-50 Circuit diagram ..................... 5-11, 8-22, 8-23, 8-27, 8-32, 8-33, 8-34, 8-43, 8-45, 8-46, 8-47, 8-48, 8-49, 8-50, 8-55 Circuit-based solutions ...................................... 8-25 Clamping cartridge ....................................8-31, 8-33 CLC/TS 61496-2:2006 ..................... 3-19, 3-38, 4-7 CLC/TS 61496-3:2008 ..................... 3-19, 3-38, 4-7 CNC .................................................................... 5-23 Commissioning..................................... 3-9, 5-6, 7-9 Common cause factor ........................................ 3-32 Communaut Europenne ................................... 3-5 Communication error.....................................6-3, 6-7 Communication functions .................................... 6-4 Communication media ......................................... 6-9 Communication standard ..................................... 6-7 Communications hierarchy................................. 6-15 Competent persons............................................ 3-58 Complete drive module (CDM) ........................... 7-10 Conduct contrary to safety................................. 4-29 Configurable safety relays 5-4, 5-11, 5-13, 5-14, 5-16, 5-22 Configuration .........................3-26, 4-17, 7-22, 7-25, 8-23, 8-32, 8-33, 8-38, 8-54 Configuration tools ............................................. 5-11 Conformity ......................................... 3-5, 3-7, 3-11, 3-13, 3-15, 3-54 Conformity assessment procedures .................. 3-16 Connecting ....................................................5-3, 5-7 Connection designation ............................8-33, 8-34 Connection logic .................................................. 5-8 Constant pump..........................................8-41, 8-51 Contact-based technology..........................5-9, 5-13 Continuity equation ........................ 8-39, 8-42, 8-44 Contractual liability ............................................... 2-4 Control (SRP/CS)................................................ 7-28 Control circuit plans ........................................... 3-13 Control system ..................... 3-19, 3-30, 3-34, 3-45, 4-11, 5-17, 5-18, 5-21, 5-23, 5-25, 6-13, 6-19, 7-11 Control technology .......................... 5-3, 5-18, 5-20, 5-24, 5-25, 8-34 Control valve ...................................................... 5-16 Control variable .............................................7-5, 7-6 Controlled braking ............................................. 7-15 Controlled loop status ........................................ 7-17 Controlled stop .......................7-12, 7-14, 7-15, 7-16 Controller inhibit ................................................. 4-21 Controller release ..........................................7-5, 7-6 Controlling valves ............................................... 5-28 Converter ........................................... 4-21, 7-4, 7-5, 7-6, 7-25, 7-31 Counter No. ....................................................... 6-19 Couplings or fastenings...................................... 8-55 CRC .................................................................... 6-19 Cross border business ......................................... 2-4 Cross muting ...................................................... 5-14 Crushing ......................................................3-18, 4-7 CSA (Canadian Standards Association) ............. 3-41 Customer group ................................................... 2-7 Cycle initiation .................................................... 5-15
9-4
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 9 Appendix
9.1 Index
Cycles ................................................................. 7-31 Cyclical data channel ................................6-17, 6-18 D DACH ................................................................. 3-56 Daisy chain wiring .............................................. 6-16 DAkkS (German Accreditation Body) .........1-3, 3-53, 3-56, 3-57, 3-58, 3-59 Danger aversion measure................................... 2-18 Dangers .................................2-12, 2-13, 2-14, 2-17, 2-18, 3-13, 4-3, 4-8, 4-22, 4-25, 4-28, 5-7, 5-26, 7-30, 8-5, 8-7, 8-8, 8-9, 8-10, 8-12, 8-15, 8-16, 8-17, 8-19, 8-21, 8-26, 8-54 DAP .................................................................... 3-56 Data exchange ................................................... 5-13 Data security mechanism ..................................... 6-4 DC value ....................................................3-25, 3-48 DCavg ................................................................... 3-25 Decentralised safety technology .......................... 6-3 Declaration of conformity ..................... 3-5, 3-6, 3-9, 3-10, 3-13, 3-14, 3-53 Declaration of incorporation ........................3-9, 3-13 Declaration of no objection ................................ 3-43 Defeating safeguards ......................................... 4-23 Defect ................................................... 2-6, 2-7, 2-9 Design error ................................2-7, 2-9, 2-12, 4-27 Design obligations .............................................. 2-17 Design of safeguards ......................................... 4-11 Design principles ................................................ 3-20 Detection of shorts across contacts .................. 5-17 Deterministic dangers ................8-8, 8-9, 8-15, 8-19 Development error ................................................ 2-9 Device and product safety act ........................... 2-20 Diagnostic capability ............................................ 5-6 Diagnostic coverage (DC).........................3-25, 3-26, 7-31, 8-30, 8-31 Diagnostic data .................................................. 5-13 Diagnostic purposes ............................................ 5-4 Differential circuit ................................................ 8-49 Diligence measures .............................................. 2-6 DIN ..................................................................... 3-17 DIN EN 982 clause 6 .......................................... 8-55 DIN EN ISO 14121-1 .......................................... 8-54 DIN EN ISO 17020 ............................ 1-3, 3-53, 3-58 DIN regulations ................................... 2-5, 2-6, 2-10 Direction of approach ......................................... 3-29 Direction of rotation .....................................7-7, 7-35 Directive 98/37/EC ........................... 2-7, 3-15, 3-16 Directives .................................2-10, 2-12, 2-20, 3-3, 3-4, 3-5, 3-11, 3-14, 3-15, 3-41, 3-42, 3-44, 3-53 Directives and laws in America .......................... 3-41 Directives and laws in Asia ................................. 3-42 Directives and laws in Oceania .......................... 3-44 Distance monitoring ........................................... 5-27 Distribution of burden of proof ........................... 2-10 DKD .................................................................... 3-56 Documentation ................................. 3-7, 3-13, 3-45, 3-50, 4-13, 8-4, 8-5 Domestic law ....................................................... 3-3 Doors .................................................................. 3-18 dop ..............................................................7-31, 7-34 Downward movement ........................................ 8-44 Drag error detection ........................................... 7-37 Drive ............4-11, 4-21, 7-4, 7-12, 7-15, 7-18, 7-19, 7-24, 7-25, 7-26, 7-27, 7-36, 7-37, 7-38, 7-39, 7-40, 8-4, 8-23, 8-30, 8-35 Drive bus .....................................................7-9, 7-26 Drive components .....................................7-22, 7-23 Drive electronics ..........................................7-4, 7-23 Drive environment .............................................. 5-16 Drive pump ..................................... 8-51, 8-52, 8-53 Drive system ................................5-17, 7-3, 7-4, 7-6, 7-10, 7-11, 7-12, 7-25 Drive technology .............................. 4-21, 5-32, 7-6, 7-15, 7-16, 7-22, 7-23, 8-3 Drive-integrated monitoring ......................7-26, 7-36 Drive-integrated safety .............4-21, 5-31, 7-3, 7-13 Drive-integrated safety technology .............7-3, 7-19 Drive-integrated solution ..........7-6, 7-12, 7-19, 7-25 Due diligence measures ....................................... 2-6 Duration of exposure to hazard .......................... 3-24 Duty to inform ..................................................... 2-13 Duty to instruct ................................................... 2-13 E EC declaration of conformity ........... 3-9, 3-14, 3-16 EC directives ...................................................... 2-20 EC Machinery Directive 98/37/EC ........................ 2-7 Electrical codes (NEC) ........................................ 3-41 Electrical safety .................................................. 3-34 Electronic cam disk (synchronous motion)......... 7-26 Electronic safety relays....................... 4-19, 5-6, 5-9 Electronics ........................................ 1-3, 3-17, 5-32 Electrosensitive protective equipment .............. 3-19, 3-38, 4-7, 4-15 Elliptical curve (resulting motion) ........................ 7-26
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
9-5
Chapter 9 Appendix
9.1 Index
EMC Act/EMVG .................................................. 2-20 EMC directive ..................................................... 3-15 EMC load .............................................................. 6-9 EMC requirements.....................................3-19, 3-37 Emergency off/emergency stop ...................5-3, 5-4, 5-6, 5-7, 5-9, 5-16, 5-24 Emergency stop devices .................................... 7-34 EN 1005-1 to -4:2008 ......................................... 3-18 EN 1005-5:2007 ................................................. 3-18 EN 1010 .............................................................. 4-24 EN 1037 .............................................................. 4-21 EN 1037:2008 ..................................................... 3-18 EN 1050 .....................................................3-19, 3-20 EN 1088 ............................................ 4-9, 4-10, 4-28 EN 1088:1995+A2:2008 ....................................... 4-7 EN 1088:2007 ............................................3-18, 3-38 EN 12453:2000 ................................................... 3-18 EN 292 .......................................................3-18, 3-20 EN 349:1995+A2:2008 ......................................... 4-7 EN 349:2008 ....................................................... 3-18 EN 415 ................................................................ 7-28 EN 547-1 to -3:2008 ........................................... 3-18 EN 574:2008 ....................................................... 3-18 EN 60204-1 .................................... 3-34, 3-41, 7-12 EN 60204-1:2007 ............................................... 3-34 EN 60204-1:2010 ............................................... 3-19 EN 60947-5-1:2009 ............................................ 3-19 EN 60947-5-2:2008 ............................................ 3-19 EN 60947-5-3:2007 ............................................ 3-19 EN 60947-5-4:2003 ............................................ 3-19 EN 60947-5-5:2006 ............................................ 3-19 EN 60947-5-6:2001 ............................................ 3-19 EN 60947-5-7:2003 ............................................ 3-19 EN 60947-5-8:2007 ............................................ 3-19 EN 60947-5-9:2008 ............................................ 3-19 EN 61326-3 parts 1+2:2008 ......................3-19, 3-37 EN 61496-1:2010 ............................. 3-19, 3-38, 4-7 EN 61496-3:2003 ............................. 3-19, 3-38, 4-7 EN 61508 .................... 3-17, 3-19, 3-22, 3-30, 3-34, 3-35, 3-36, 3-39, 3-45 EN 61508 Parts 1-7:2010 ................................... 3-19 EN 61511 Parts 1-3:2004 ................................... 3-19 EN 61784-3:2010 ......................................3-19, 3-22 EN 61800 ...................................................7-10, 7-11 EN 61800-5-2:2007 ........................ 3-19, 3-38, 3-39 EN 62061 ................................3-30, 3-34, 3-50, 4-10 EN 62061:2005 ................................................... 3-30 EN 62061:2010 ................................................... 3-19 EN 692 ................................................................ 7-28 EN 693 ................................................................ 7-28 EN 953 .........................................................4-9, 4-28 EN 953:1997+A1:2009 ........................................ 4-7 EN 953:2009 ....................................................... 3-18 EN 999 .............................................. 3-18, 3-29, 4-7 EN ISO 10218-1 ................................................. 7-28 EN ISO 11161:2010 ...................................3-18, 3-40 EN ISO 12100:2010 ...................................3-18, 3-20 EN ISO 12100-1 and 2 ..............................3-18, 3-20 EN ISO 12100-1:2009 ........................................ 3-20 EN ISO 12100-2:2009 ........................................ 3-20 EN ISO 13849-1 ......... 3-18, 3-20, 3-22, 3-23, 3-24, 3-25, 3-26, 3-27, 3-28, 3-30, 3-34, 3-39, 3-45, 3-46, 3-50, 3-52, 3-53, 4-11, 7-12, 7-28, 7-29, 7-31, 7-32, 7-34 EN ISO 13849-1:2008 .................... 3-24, 3-27, 3-28 EN ISO 13849-1:2009 ........................................ 3-18 EN ISO 13849-2:2008 ........................................ 3-18 EN ISO 13855 ..... 3-29, 4-14, 4-15, 4-16, 4-17, 7-33 EN ISO 13855:2010 .......................... 3-18, 3-29, 4-7 EN ISO 13857:2008 .......................... 3-18, 3-29, 4-7 EN ISO 14121-1:2007 ...............................3-19, 3-20 EN/IEC 61508 ................................... 7-7, 7-10, 7-11 EN/IEC 61800-5-2 .........................................7-3, 7-6 Enable principle .........................................5-20, 5-21 Enable switch ..............................................5-7, 7-34 Encoder cable ...........................................5-16, 7-25 Encoder signal ..........................5-16, 7-7, 7-37, 7-38 Encoder systems ........................7-7, 7-8, 7-19, 7-25 Encroachment from behind .......................4-17, 4-19 End producer ...................................................... 2-16 Energy supply ........... 4-21, 5-3, 7-5, 7-6, 7-30, 8-54 Environmental requirements ............................... 3-51 EPDM ................................................................. 4-19 Error reaction function ........................................ 7-25 Error state ........................................................... 5-13 ESPE .............................................. 4-15, 4-16, 4-19 Ethernet ..................................5-18, 6-13, 6-14, 6-15 Ethernet communication system........................ 6-13 Ethernet OSI Layer ............................................. 6-14 Ethernet technology ........................................... 6-14 Ethernet/IP .......................................................... 6-9 Ethernet-based fieldbus system ........................ 6-13 EU importer .......................................................... 2-8 European co-operation for Accreditation (EA).... 3-56 European directive 85/374/EEC ........................... 2-5 European standards ............................................. 2-7 European Union .............................................3-3, 3-4 Evaluation logic .................................................... 5-4 Ex area................................................................ 5-10 Ex area II (1)GD [EEx ia] IIB/IIC ........................... 5-10
9-6
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 9 Appendix
9.1 Index
Examples of safe motion .................................... 7-28 Excess pressure ............................. 2-13, 8-22, 8-38 Excessive functionality ....................................... 4-27 Exclusion of liability .............................................. 2-9 Exhaust throttles ................................................ 8-32 Exposition ..................................................3-23, 4-10 External commands ........................................... 7-42 External motion monitoring with one standard encoder................................. 7-37 External motion monitoring with safe encoder ............................................... 7-40 External motion monitoring with standard encoder and proximity switch ............. 7-38 External motion monitoring with two standard proximity switches........................ 7-39 F Failsafe ............................................................... 8-12 Failsafe control system....................................... 5-20 Failsafe principle .........................................7-3, 7-25 Failure mode ....................................................... 8-28 Failure to warn .................................................... 2-12 Fault rectification procedure............................... 4-25 Fault simulation (safety check) ........................... 3-53 Fault tolerance .................................................... 3-33 Feasibility study .................................................. 2-17 Feasibility tests ..................................................... 7-7 Fibre-optic (FO) communication........................... 6-9 Fibre-optic cable .........................................6-9, 6-12 Fibre-optic communication .................................. 6-9 Fibre-optic routers ................................................ 6-9 Fieldbus ...................... 3-19, 3-22, 5-13, 5-20, 5-21, 6-6, 6-11, 6-13, 6-16, 7-7, 7-9 Fieldbus communication ...................................... 6-6 Fieldbus modules ............................................... 5-13 Fieldbus standard ............................................... 6-17 Fieldbus system ............................... 6-6, 6-13, 6-20 Fire Codes (NFPA) .............................................. 3-41 Fittings ................................................................ 8-40 Fixed guards ................................................4-8, 4-11 Flow .................................................................... 8-50 Flow forms .......................................................... 8-39 Fluid power system ...................................8-35, 8-56 Force and path transmission .............................. 8-38 Free of defects ................................... 2-5, 2-6, 2-16 Freedom of movement ....................................... 3-16 Frequency converter ..... 6-14, 7-4, 7-23, 7-27, 7-37 Frequency of the exposure to the hazard..............................3-24, 3-31 Friction shear stress ........................................... 8-40 Function blocks .........................................5-22, 5-29 Function test...........................3-51, 3-53, 4-10, 8-55 Functional safeguard .......................................... 4-21 Functional safety .............................. 1-3, 3-19, 3-23, 3-30, 3-34, 3-39, 7-3, 7-10 G Generic safety standards and technical safety standards............................................................ 7-28 German Institute for Standardization (DIN) ........ 3-17 GOST-R certification........................................... 3-42 Gravitational pressure ........................................ 8-38 Guard locking ..................................... 4-5, 4-9, 4-11 Guards .................................. 4-4, 4-5, 4-6, 4-7, 4-8, 4-9, 4-11, 4-27, 8-17 H Harmonisation ............................3-3, 3-4, 3-17, 3-42 Harmonised standard ..................................3-4, 3-45 Hazard .................................... 2-13, 3-13, 3-15, 4-8, 4-14, 4-15, 4-21, 5-3, 7-18, 7-19, 7-25, 8-5, 8-54 Hazard analysis .................................................. 3-13 Hazard assessment ............................................ 3-51 Hazard avoidance measure ................................ 2-15 Hazard warnings................................................. 2-15 Health and safety requirements ..... 3-11, 3-13, 3-16 Health and safety requirements ..... 3-11, 3-13, 3-16 Health risks ......................................................... 2-13 High Demand Mode ........................................... 3-30 High-end safety solutions..................................... 7-3 Holding and service brakes .......................7-20, 7-30 Holding brake .............. 7-20, 7-24, 7-31, 7-32, 8-31 hop ..............................................................7-31, 7-34 Hose colours ...................................................... 8-34 Hose cross sections ........................................... 8-34 Hose numbers .................................................... 8-34 Hydraulic accumulator ....................................... 8-55 Hydraulic circuit.............................. 8-43, 8-44, 8-45 Hydraulic control systems .........................8-56, 8-62 Hydraulic fluid filtration (RF) ............................... 8-56 Hydraulic system ................................................ 8-43 Hydraulic systems with hydraulic accumulator ........................................ 8-55 Hydraulic work ................................................... 8-39 Hydraulics................................3-34, 5-24, 8-3, 8-21, 8-23, 8-35, 8-40 Hydro pumps ...................................................... 8-41 Hydrostatic power transmission......................... 8-35
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
9-7
Chapter 9 Appendix
9.1 Index
I I/O interconnection ......................................7-9, 7-26 IEC 60204-1 ................................... 7-14, 7-15, 7-16 IEC 61131 ........................................................... 5-22 IEC 61496-2:2006 ............................ 3-19, 3-38, 4-7 IEC 61508 ......................................... 3-35, 5-32, 8-9 IEC TR 62061-1:2009 ......................................... 3-19 IEC/TR 62685:2010 ...................................3-19, 3-22 IEC/TS 62046:2008 ...................................3-19, 3-38 IL (Instruction List) .............................................. 5-17 Immunity requirements ....................................... 3-37 Implementation program .................................... 2-17 Import ............................................................2-8, 3-7 Importer ................................................................ 2-8 Incomplete machinery .......................................... 3-9 Incorrect message sequence .............................. 6-4 Increase productivity .......................................... 5-18 Incremental encoder........................................... 7-27 Indicative safety technology ............. 4-3, 8-15, 8-19 Indirect safety technology .........................8-15, 8-16 Indirect safety technology .........................8-15, 8-17 Industrial communication networks ..........3-19, 3-22 Industrial Safety and Health Law........................ 3-43 Industrial Safety and Health Law........................ 3-43 Infringement of a protected right........................ 2-11 Inherently dangerous products ............................ 2-7 Input device ...............................5-16, 7-7, 7-8, 7-36, 7-37, 7-38, 7-40 Input devices 3-38, 4-11, 4-18, 4-19, 5-4, 5-14, 5-27, 6-13, 7-24, 7-26, 7-36, 7-37, 7-38, 7-39, 8-30 Inputs/outputs ...........................................5-11, 5-17 Installation ...................................................5-7, 6-13 Installation process .............................................. 5-7 Institute for Standardization ............................... 3-17 Instituto Argentino ............................................. 3-42 Instituto Nacional .............................................. 3-42 Instruction manual .............................................. 2-14 Integrated fault detection ................................... 4-13 Integrated safe shutdown path .................7-14, 7-23 Interfaces/communication .................................. 7-22 Interlock .. 4-4, 4-5, 4-9, 4-24, 4-27, 4-29, 5-24, 8-54 Interlocking concept for special operating modes .................................... 4-25 Interlocking device .......... 3-18, 3-38, 4-5, 4-7, 4-10 Intermediate circuit ............................. 7-5, 7-6, 7-23 International Accreditation Forum (IAF) .............. 3-56 International Electrotechnical Commission (IEC) ......................................3-17, 3-44 International Laboratory Accreditation Coorporation (ILAC) ..................... 3-56 International Organization for Standardization (ISO) ...........................3-17, 3-44 Inverted rectifier.............................................7-5, 7-6 IS ........................................................................ 4-14 ISmax ..................................................................... 4-14 ISmax(i) .................................................................... 4-14 ISO 14118:2000.................................................. 3-18 ISO 14119:2006.........................................3-18, 3-38 ISO 15189........................................................... 3-57 ISO TR 23849:2010 ............................................ 3-19 ISO/IEC 17020.................................................... 3-57 ISO/IEC 17025.................................................... 3-57 ISO/OSI reference model ................................... 6-15 J JIS standards (Japan Industrial Standards) ....... 3-43 Jog function.................................... 7-18, 7-33, 7-34 Jog mode ......................................... 7-3, 7-18, 8-58 L Laser scanners .......................3-38, 4-19, 5-10, 5-14 Law of friction ..................................................... 8-40 Law of negligence .......................................2-4, 2-11 LD (Ladder Logic/Ladder Diagram) .................... 5-17 Leakages ...................................................8-21, 8-54 Legal duty to maintain safety ............................. 2-12 Liability of the end product manufacturer .......... 2-16 Liability of the quasi-manufacturer ....................... 2-8 Liability of the supplier ......................................... 2-9 Liability of the supplier ....................................... 2-17 Liability relief ....................................................... 2-10 Liability to pay damages .................................... 2-10 Lifecycle ...................................1-3, 3-34, 3-39, 7-22 Lifecycle phases ................................................. 3-13 Lift stops............................................................. 8-55 Light barrier ...............................3-38, 3-53, 4-6, 4-8, 5-6, 5-14, 5-15, 8-17, 8-23 Light curtain.... 2-12, 338, 3-53, 4-17, 5-6, 6-7, 6-11 Limbs ................................................ 3-18, 3-29, 4-7 Limit value .................................5-16, 7-3, 7-9, 7-12, 7-15, 7-16, 7-17, 7-18, 7-19, 7-24, 7-25, 7-36, 8-5, 8-54 Limit value violation ........................ 7-12, 7-19, 7-42 Limitation ............................................................ 2-10 Low Demand Mode ............................................ 3-30 Low voltage directive ................................3-11, 3-15 Low-noise design ............................................... 8-54
9-8
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 9 Appendix
9.1 Index
M MAC-Frames ...................................................... 6-14 Machine availability .............................................. 7-6 Machine cycle .................................................... 7-34 Machinery ..........2-10, 2-13, 2-15, 3-5, 3-6, 3-7, 3-8, 3-9, 3-11, 3-13, 3-14, 3-27, 3-28, 3-43, 3-45, 3-46, 3-47, 3-48, 3-50, 3-51, 3-53, 4-3, 4-4, 4-5, 4-6, 4-10, 4-11, 4-12, 4-14, 4-15, 4-17, 4-19, 4-24, 4-26, 4-27, 4-29, 5-3, 5-4, 5-6, 5-7, 5-18, 5-25, 5-32, 7-7, 7-9, 7-23, 7-25, 7-30, 8-4, 8-5, 8-8, 8-9, 8-12, 8-17, 8-19, 8-21, 8-22, 8-25, 8-26, 8-33, 8-34, 8-55, 8-59 Machinery Directive ........ 1-3, 2-7, 3-5, 3-6, 3-7, 3-8, 3-9, 3-10, 3-11, 3-13, 3-14, 3-15, 3-16, 3-18, 3-23, 3-28, 3-30, 3-59, 4-4, 4-7, 4-22, 4-26, 4-29, 8-4, 8-5, 8-9, 8-15, 8-33 Mains contactor ................................................... 7-5 Mandatory certification....................................... 3-43 Manipulation of safeguards ............................... 4-22 Manual controls .........................................4-20, 4-24 Manual start-up valve ......................................... 8-25 Manual valve ...................................................... 8-25 Manufacturer .................. 2-3, 2-4, 2-5, 2-6, 2-7, 2-8, 2-9, 2-10, 2-11, 2-12, 2-13, 2-14, 2-15, 2-17, 2-18, 2-19, 3-3, 3-4, 3-5, 3-6, 3-7, 3-9, 3-11, 3-13, 3-22, 3-34, 3-39, 4-22, 4-24, 4-26, 4-27, 5-11, 7-11, 7-25, 7-31, 7-39, 7-40, 8-9, 8-33 Manufacturers declaration ................................... 3-9 Manufacturers liability.......................................... 2-4 Manufacturing defect ......................................... 2-12 Manufacturing process................... 3-52, 5-26, 7-11 Marking............................................................... 8-33 Master/slave system .......................................... 6-13 Material defects ...........................................2-7, 2-12 Maximum amount for liability ............................. 2-10 Measurements ................................ 3-53, 3-57, 6-13 Mechanical dangers ....................................8-8, 8-10 Mechanical movement ......................................... 7-7 Mechanical spring .......................... 8-23, 8-28, 8-34 Mechanics ...............................3-17, 3-34, 5-32, 8-3, 8-23, 8-26, 8-34 Mechatronic units .....................................5-25, 6-20 Medical Product Act/MPG ................................. 2-20 Message Channel ............................................... 6-18 Message corruption ............................................. 6-4 Message delay ..................................................... 6-4 Message insertion ................................................ 6-4 Message loss ....................................................... 6-4 Message repetition ........................................6-3, 6-4 Microprocessor technology...........................5-6, 5-9 Minimum distances ..................3-18, 4-7, 4-17, 8-16 Minimum speed ................................................. 7-18 MLA = Multilateral Recognition Arrangement .... 3-56 Modification .......................................................... 6-8 Modular machine design .................................... 6-20 Modularisation ...........................................5-23, 5-25 Monitored disconnection.............................5-4, 5-10 Monitoring function .................5-4, 5-18, 5-24, 7-16, 7-18, 7-25, 7-36, 7-37, 7-38, 7-39, 7-40 Monitoring obligation ......................................... 4-27 Motion ............................................ 5-23, 5-24, 5-25 Motion control .................................. 4-21, 7-4, 7-26 Motion control system ........................................ 7-26 Motion generation .......................................7-4, 7-12 Motion monitoring .......................... 7-24, 7-25, 7-26, 7-27, 7-36, 7-37, 7-38, 7-39, 7-40 Motion monitoring with external devices ........... 7-36 Motor ................................. 2-11, 2-12, 7-3, 7-4, 7-5, 7-6, 7-7, 7-9, 7-10, 7-12, 7-14, 7-15, 7-16, 7-17, 7-19, 7-24, 7-25, 7-31 Motor contactor.............................................7-5, 7-6 Motor current...................................................... 7-19 Motor feedback .................................................... 7-7 Movable guards ................................. 3-18, 4-5, 4-7, 4-11, 4-13, 4-14 Movable safeguards ............................................. 5-4 MRA = Mutual Recognition Agreement .............. 3-56 MS6-SV .....................................................8-26, 8-27 MSCN (Message Channel) ................................. 6-18 MTTFd Mean time to dangerous failure .......... 3-24 Multi-master bus system ...........................6-13, 6-14 Multi-turn encoder ................................................ 7-7 Muting .......................................................4-18, 7-35 Muting function .............................. 4-18, 5-10, 5-14 Muting lamp ..............................................5-14, 5-15 N N/C contacts ...............................................4-12, 7-6 National Standards Institute (INN) ...................... 3-42 Navier-Stokes equation ...................................... 8-39 NC control system .............................................. 7-26 New Machinery Directive..................... 1-3, 3-5, 3-8, NFPA (National Fire Protection Association)................................ 3-41 NFPA 79 ....................................................3-40, 3-41
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
9-9
Chapter 9 Appendix
9.1 Index
NFPA 79:2008 .................................................... 3-40 NFPA 79:2009 .................................................... 3-19 Noise Directive ................................................... 3-15 Non-safety-related communication function........ 6-4 Normal mode .................................. 4-10, 4-27, 8-27 Normally energised mode .................................. 8-57 Normally open principle ..................................... 4-19 Notified body .................................. 3-16, 3-42, 3-43 O Occupational Health and Safety Act (OH&S Gesetz ber Arbeitsund Gesundheitsschutz)..................................... 3-44 OD Ordinary Device ......................................... 6-16 Official Journal of the EU.................... 3-3, 3-4, 3-27 Oil flow control ................................................... 8-44 Old machine ......................................................... 3-7 Old Machinery Directive .................................... 3-15 One-stop producer ............................................. 2-15 Open circuit ..............................5-4, 5-32, 7-12, 8-16 Opening frequency ....................................4-10, 4-28 Operating manual ..................... 3-6, 3-13, 3-53, 4-3, 4-22, 4-25, 8-4, 8-19, 8-33 Operating mode selection .................................. 5-28 Operating pressure ................8-22, 8-23, 8-24, 8-25, 8-33, 8-35, 8-54, 8-55 Operating pressure range................................... 8-54 Operating temperatures ..................................... 8-54 Operator ....................... 2-14, 3-6, 3-40, 3-43, 3-51, 3-53, 4-26, 4-27, 5-7, 8-23 Optocoupler ....................................... 7-5, 7-6, 7-23 OSHA (Occupational ................................................ OSHA standards................................................. 3-41 OSI reference model..................................6-15, 6-18 OSSD.........................................................4-13, 4-14 Outliers ............................................................... 2-12 Overall circuit............... 7-29, 7-32, 7-34, 7-35, 7-42 Overrun ................. 7-3, 7-19, 7-23, 8-23, 8-33, 8-60 Own use ............................................................... 3-7 P Packet Identifier ................................................. 6-19 Parallel circuit ................................. 8-46, 8-48, 8-49 Parameter tool .................................................... 5-12 Parameters S, F and P ....................................... 3-28 Particularly hazardous machinery ........................ 3-9 Partly completed machinery................................. 3-9 Partly completed machinery................................. 3-9 Parts of the body ........... 3-18, 3-29, 4-7, 4-15, 8-16 PAScal Safety Calculator..........................3-23, 3-30, 3-49, 3-53, 7-32 Passport to Europe .............................................. 3-5 PDS/Safety-Related (SR).................................... 7-10 Peak current IS ................................................... 4-14 Pendulum movement ......................................... 5-27 Performance Level ............... 3-23, 3-25, 3-46, 3-50, 3-53, 4-11, 5-16, 7-28, 7-29, 7-30, 7-31, 7-32, 7-34, 7-35, 7-37, 7-38, 8-26, 8-27, 8-30, 8-31, 8-57, 8-58, 8-59, 8-60, 8-61, 8-62 Performance Levels PLr ..........................3-23, 3-24, 3-27, 3-46, 3-49 Personal injury or material damage ...................... 2-4 Personal Protective Equipment Directive ........... 3-15 PFD (Probability of failure on low demand) ........ 3-30 PFHD .........................................................3-33, 7-32 Physical performance ......................................... 3-18 PID (Packet Identifier) ......................................... 6-19 Piston forces .............................................8-41, 8-42 Piston pressure force ......................................... 8-41 Piston speed .................................. 8-42, 8-44, 8-88 PL ..............3-24, 3-25, 3-27, 3-48, 4-13, 7-29, 7-32, 7-37, 7-38, 7-39, 7-40, 8-26, 8-31, 8-58, 8-59, 8-60, 8-61, 8-62 PL e .................... 4-13, 7-38, 7-39, 7-40, 8-62, 8-62 PL graph ......................................... 3-24, 3-27, 7-32 Placing on the market ..............2-9, 2-10, 2-11, 3-16 PLC............................................................5-17, 5-29 PMCprotego DS ................................................. 5-31 Pneumatic components ............................8-21, 8-22 Pneumatic system .................. 3-34, 5-24, 8-3, 8-21, 8-23, 8-24, 8-25, 8-26, 8-30, 8-34 PNOZ ...........................................................5-3, 8-27 PNOZelog ............................................................. 5-9 PNOZmulti ................................4-21, 5-4, 5-28, 5-25 PNOZsigma .......................................................... 5-6 Polling ................................................................... 6-7 Position monitoring .......................... 5-4, 5-16, 7-19 Position window ............................ 7-12, 7-17, 7-19 Positioning .......................................................... 7-26 Positioning control.............................................. 7-26 Possibility of avoidance...................................... 3-24 Possibility of defeat ...................................3-38, 4-17 Power contactor ..........................................5-4, 8-60 Power drive system (PDS) .................................. 7-10 Press applications .............................................. 5-15 Press safety valve............................................... 5-15 Press stroke........................................................ 5-27
9-10
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 9 Appendix
9.1 Index
Pressure ............. 2-10, 4-23, 4-27, 8-22, 8-24, 8-25, ..... 8-33, 8-34, 8-35, 8-38, 8-39, 8-40, 8-41, 8-43, ................8-47, 8-48, 8-49, 8-53, 8-54, 8-57, 8-58 Pressure drops ................................................... 8-40 Pressure intensifier ............................................. 8-42 Pressure limitation ..................8-22, 8-56, 8-57, 8-62 Pressure limitation in the system (VDB).............. 8-56 Pressure losses .................................................. 8-40 Pressure relief valve............................................ 8-43 Pressure sensitive mats.............................4-17, 4-19 Pressure source.................................................. 8-34 Pressure transmission ........................................ 8-39 Pressure values .................................................. 8-22 Presumption of conformity .......................... 3-3, 3-4, 3-23, 3-27, 3-30 Primary control ................................................... 8-50 Probability of occurrence ................................... 2-18 Problems due to EMC .......................................... 6-4 Procedures used to attach and monitor safeguards ..................................... 4-28 Process data object ..................................6-17, 6-18 Process data objects (PDOs) ............................. 6-17 Producer liability ..........................................2-4, 2-11 Producer Liability Act ........................................... 2-3 Product completion .............................................. 2-8 Product defect ............................ 2-5, 2-6, 2-7, 2-10, 2-18, 2-19 Product improvement ........................................... 2-9 Product liability ................................................... 3-28 Product liability act ........................2-3, 2-4, 2-5, 2-9, 2-10, 2-11, 2-12, 2-20 Product migration ................................................. 2-7 Product monitoring........ 2-3, 2-15, 2-18, 2-19, 4-27 Product or producer liability ................................. 2-4 Product Safety Directive..................................... 3-15 Product standards .....................................3-27, 3-38 Product supervision duty ................................... 2-14 Product supervision error ................................... 2-12 Production based on division of labour.............. 2-15 Profibus DP .......................................................... 6-9 Programmable logic control system (PLC) ........... 5-3 Protective device ........................ 3-38, 4-5, 4-8, 4-9, 4-10, 4-11, 4-15, 4-17, 4-24, 4-28, 4-29, 8-17 Protective devices ........................4-5, 4-7, 4-8, 8-17 Protective law ..................................................... 2-20 Proximity switches ............................................. 4-13 PSSu multi .......................................................... 5-29 Publisher/subscriber principle ............................ 6-16 Q Quality assurance ........ 2-15, 2-16, 2-17, 3-57, 3-59 Quality assurance agreements ..................2-16, 2-17 Quality assurance measures .............................. 2-17 Quasi-manufacturer.............................................. 2-8 Quiet running ...................................................... 8-51 R Radio Equipment Directive ................................. 3-15 Range monitoring ............................................... 5-16 Rated holding torque .......................................... 7-31 RC control .......................................................... 7-26 Reaction function ......................................7-19, 7-25 Reaction times............................ 5-18, 6-8, 6-9, 7-3, 7-15, 7-16, 7-23, 7-25, 7-42 Real-time communication .................................. 6-16 Recall .............................................. 2-15, 2-18, 2-19 Reduction factor ................................................. 7-32 Redundancy ........... 4-13, 6-3, 6-5, 8-12, 8-13, 8-14 Redundant design ................................................ 5-6 Reed contacts .................................................... 4-14 Reference variable .........................................7-5, 7-6 Relay circuits ........................................................ 5-3 Relay technology ...........................................5-4, 5-6 Relays ................................ 2-7, 3-52, 4-14, 5-3, 5-6 Required characteristics of guards and protection devices......................... 4-4 Requirement manual ............................................ 3-7 Residual risk .................. 2-13, 3-13, 4-26, 4-27, 8-9 Resistance coefficient ........................................ 8-40 Restart .....................................4-17, 4-21, 5-12, 7-6, 7-14, 7-23, 8-54 Retrofit .......................................................2-18, 7-25 REYNOLDS NUMBER ........................................ 8-39 RFID.................................................................... 4-13 Ring area ...................................................8-48, 8-49 Risk............................... 2-4, 2-15, 3-13, 2-23, 3-24, 2-27, 3-31, 4-5, 4-26, 4-28, 4-29, 5-3, 8-5, 8-9, 8-19, 8-23, 8-29 Risk analysis ............... 3-12, 3-20, 3-23, 3-31, 3-43, 7-11, 7-18, 7-20, 7-23, 7-28, 7-30, 8-30 Risk assessment .......... 3-9, 3-11, 3-12, 3-19, 3-20, 3-45, 3-46, 3-53, 4-11, 8-9, 8-24 Risk assessment in accordance with EN 62061, EN ISO 13849-1 ........................ 4-11 Risk evaluation ..................... 3-18, 3-20, 3-23, 3-27, 3-28, 3-31, 3-33, 3-39, 4-16, 4-22, 8-6, 8-9, 8-54 Risk factors ........................................................ 3-20 Risk graph ................... 3-23, 3-24, 3-28, 3-30, 3-31
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
9-11
Chapter 9 Appendix
9.1 Index
Risk minimisation .....................................3-20, 3-45 Risk prevention ................................................... 2-19 Risk reduction ..........................3-18, 3-20, 3-21, 5-4 Root Device ........................................................ 6-16 Rotary encoder ..........................6-14, 7-6, 7-7, 7-36, 7-37, 7-38, 7-39, 7-40 Rotation direction monitoring ............................. 5-28 Rotational speed ............................. 3-19, 3-39, 5-4, 5-10, 5-12, 5-16, 7-10, 7-12, 8-37, 8-41, 8-55, 8-58 RPmin .................................................................... 4-14 RSA .................................................................... 3-17 RSmin(i) ................................................................... 4-14 RTFL (Real Time Frame Line) ........ 6-14, 6-15, 6-16 RTFN (Real Time Frame Network) .............6-14, 6-15 Rule breach ........................................................ 4-25 Run ............................... 3-40, 4-3, 4-10, 4-21, 6-18, 7-9, 7-12, 7-14 7-16, 7-17, 7-20, 7-24, 7-25, 8-34, 8-41, 8-54 Run monitoring ................................................... 5-15 S S = (K x T) ........................................................... 4-14 S = (K x T) + C .................................................... 4-17 S = K* (t1 + t2) + C ............................................. 4-15 Sabotage ............................................................ 4-24 Safe absolute position .......................................... 7-7 Safe acceleration range (SAR)............................ 7-17 Safe analogue processing .................................. 5-16 Safe brake control (SBC) .................................... 7-20 Safe brake function ............................................ 7-20 Safe brake test (SBT).......................................... 7-20 Safe braking ....................................................... 7-25 Safe cam (SCA) .................................................. 7-19 Safe camera system ...... 3-38, 3-59, 4-15, 4-19, 7-3 Safe camera systems .... 3-38, 3-59, 4-15, 4-19, 7-3 Safe camera-based solution ............................. 7-36 Safe communication ....... 5-13, 6-8, 6-9, 6-18, 6-19 Safe condition ...................................................... 7-3 Safe control systems ...................................5-22, 7-9 Safe control technology .............................5-3, 5-24 Safe decentralisation .......................................... 5-20 Safe direction (SDI) ....... 7-19, 7-36, 7-37, 7-38, 7-40 Safe direction (SDI) ............................................. 7-35 Safe drive function ............................................... 7-3 Safe encoder ...............................................7-8, 7-40 Safe life principle ................................................ 8-12 Safe limit value specification ................................ 7-9 Safe logic............................................................ 7-24 Safe motion .................................................7-3, 7-22 Safe motion .......................................................... 7-3 Safe motion control .....................................4-21, 7-4 Safe motion function .......................................... 7-17 Safe motion monitoring ...............................7-9, 7-26 Safe operating stop (SOS)............. 7-16, 7-17, 7-36, 7-37, 7-38, 7-40 Safe reset lock ...........................................7-14, 7-23 Safe Service Data Objects ................................. 6-18 Safe speed monitoring (SSM)............................. 7-19 Safe speed range (SSR) ................. 7-18, 7-36, 7-37, 7-38, 7-40 Safe stop 1 (SS1)......................7-7, 7-12, 7-14, 7-16 Safe stop 2 (SS2)............................ 7-12, 7-16, 7-17 Safe stop function ....... 7-14, 7-19, 7-28, 7-32, 7-35 Safe stop function on vertical axes .................... 7-30 Safe torque off (STO) .................................7-12, 7-14 Safe torque range (STR) ..................................... 7-19 Safeguarding detection zones with a safe camera-based solution .................... 7-41 Safely limited acceleration (SLA) ........................ 7-17 Safely limited increment (SLI) ............................. 7-19 Safely limited position (SLP) ............................... 7-19 Safely limited speed (SLS)............. 7-18, 7-19, 7-33, 7-34, 7-36, 7-37, 7-38, 7-39, 7-40 Safely limited torque (SLT) .................................. 7-19 Safely reduced speed..................................7-3, 7-18 Safety and Health Organisation)......................... 3-41 Safety chain ...................................... 5-4, 7-13, 8-29 Safety characteristic data................................... 7-36 Safety component ......... 3-6, 3-10, 3-52, 8-21, 8-26 Safety control systems ............3-34, 5-4, 5-17, 5-20, 5-22, 5-26, 5-27, 5-28, 5-29, 5-31, 5-32, 6-7, 6-9, 7-3, 7-24 Safety distance ................................ 4-6, 4-14, 4-15, 4-16, 4-17, 7-42 Safety fence ..................................... 4-6, 4-14, 4-17 Safety functions........... 3-22, 3-23, 3-27, 3-30, 3-38, 3-39, 3-46, 3-47, 3-48, 3-49, 3-50, 3-51, 3-53, 4-11, 5-3, 5-4, 5-6, 5-9, 5-11, 5-16, 5-17, 5-21, 5-27, 5-28, 5-32, 6-17, 7-3, 7-6, 7-7, 7-10, 7-11, 7-12, 7-13, 7-14, 7-15, 7-16, 7-17, 7-18, 7-19, 7-20, 7-21, 7-23, 7-24, 7-25, 7-26, 7-28, 7-29, 7-30, 7-31, 7-33, 7-35, 7-36, 7-37, 7-38, 7-39, 7-40, 7-41, 7-42, 8-9, 8-29, 8-31, 8-57, 8-59, 8-61 Safety gate ....................................... 3-59, 4-9, 4-11, 4-12, 4-13, 4-14, 5-6, 5-7, 5-9, 5-12, 5-16, 5-24, 5-28, 5-32, 6-11, 7-3 Safety guidelines .......................................2-14, 8-19
9-12
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 9 Appendix
9.1 Index
Safety integrity .........................7-8, 7-11, 7-13, 7-23 Safety Integrity Level (SIL) .............. 3-31, 3-46, 3-50 Safety lockout .................................................... 7-16 Safety objectives ........................3-3, 3-4, 3-48, 8-26 Safety principles ............................ 3-22, 3-47, 3-52, 8-24, 8-57, 5-58, 8-59, 8-60, 8-61 Safety relays ..........................3-34, 4-14, 4-18, 4-19, 5-3, 5-4, 5-6, 5-7, 5-8, 5-9, 5-10, 5-11, 5-12, 5-13, 5-14, 5-16, 5-22, 7-24 Safety requirements ....................... 2-20, 3-16, 3-50, 5-13, 7-12, 7-25, 8-54, 8-55 Safety standard .................................... 2-6, 2-7, 2-9 Safety switches with integrated fault detection ................................... 4-13 Safety warning................... 2-6, 2-7, 2-9, 2-17, 2-19 SafetyBUS p ......................... 6-3, 6-5, 6-6, 6-7, 6-8, 6-9, 6-10, 6-11, 6-12 SafetyBUS p system description ......................... 6-7 SafetyNET p ............................ 6-3, 6-4, 6-13, 6-14, 6-15, 6-16, 6-17, 6-18, 6-19, 6-20, 7-7 Safety-related communication .................... 6-3, 6-8, 6-9, 6-13, 6-18 Safety-related communication function ............... 6-4 Safety-related message ................................6-4, 6-5 Schematic .................................................8-26, 8-27 Screw joints ...............................................8-23, 8-34 Screw pump ....................................................... 8-52 SDO (service data objects) ................................. 6-17 Secondary control .............................................. 8-50 Sector standard ............................. 3-24, 3-30, 3-34, 3-37, 3-45, 7-11 Segmented shutdowns ...................................... 4-24 Selectable operating modes and times ............... 5-6 Semiconductor outputs .................................5-4, 5-6 Sensor subsystem .....................................7-38, 7-39 Sequence valve .................................................. 8-47 Sequential muting .............................................. 5-14 Series connection .......................... 4-11, 4-12, 7-28, 7-29, 7-31, 7-33, 7-35 Series connection .....................4-9, 4-14, 8-46, 8-48 Service data objects ........................................... 6-17 Service unit .............................8-22, 8-25, 8-27, 8-34 Servo amplifiers .........................2-8, 7-4, 7-12, 7-14, 7-15, 7-23, 7-26, 7-28 Servo and frequency converter .......................... 7-11 Servo converter .........................................7-25, 7-26 Servo presses ..................................................... 5-27 Setpoint specification ........................................... 7-6 Set-up Mode ..........................5-15, 7-18, 7-19, 8-24 Severity of injury ................................................. 3-24 SFF ..................................................................... 3-33 Shutdown ....................... 1-3, 4-18, 4-21, 5-3, 5-26, 5-31, 7-3, 7-17, 7-18, 7-24, 8-60 Shutdown path ......... 7-4, 7-5, 7-6, 7-14, 7-23, 7-24 Signal flow path .................................................. 4-26 Significant change ................................................ 3-8 Significant change ................................................ 3-8 Sin/cos encoders: sin+cos=1 .......................... 7-40 Sine/cosine motor encoder .......................7-24, 7-26 Single axis .......................................................... 7-26 Single Stroke ...................................................... 5-15 Sistema............................................................... 3-53 Slide stroke......................................................... 5-27 Software tool ...................................................... 5-11 SPDO.........................................................6-18, 6-19 Specifications ...........................2-6, 2-17, 3-13, 3-48 Speed control ............................................8-44, 8-50 Speed monitoring ............................................... 4-21 Speed threshold ................................................. 7-17 SRCF .................................................................. 3-48 SSDOs (Safe Service Data Objects) ................... 6-18 Standard communication ..................................... 6-8 Standard encoder.......... 5-16, 7-8, 7-36, 7-37, 7-38 Standard ISO 9001 ............................................. 3-57 Standard sensors .......................................7-38 7-39 Standards ........... 1-3, 2-6, 2-7, 2-10, 3-3, 3-4, 3-11, 3-13, 3-15, 3-16, 3-17, 3-18, 3-20, 3-27, 3-28, 3-37, 3-38, 3-41, 3-42, 3-44, 3-45, 3-50, 3-54, 3-57, 4-7, 4-9, 5-4, 5-26, 5-32, 6-8, 7-28, 8-9, 8-34, 8-57 Standards Australia ............................................ 3-44 Standards for dimensioning of guards ................. 4-7 Standards for guards ........................................... 4-7 Standards for the design of protective devices or electrosensitive protective equipment ........................................... 4-7 Standstill ............... 5-16, 7-3, 7-12, 7-16, 7-20, 7-42 Standstill detection ...................................7-15, 7-16 Standstill position ......................................7-16, 7-17 Standstill threshold ............................................ 7-12 Statistical methods ....................................3-23, 3-30 Steam bubble cavitation .................................... 8-40 Stochastic dangers ......... 8-8, 8-9, 8-10, 8-12, 8-15 Stop ................................. 4-5, 4-11, 5-4, 7-12, 7-14, 7-15, 7-16, 7-20 Stop category ............................................7-12, 8-28
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
9-13
Chapter 9 Appendix
9.1 Index
Stop function .........................7-12, 7-14, 7-19, 7-28, 7-29, 7-30, 7-32, 7-34, 7-35 Stop functions .................................................... 7-12 Stopping ............................................................. 8-31 Structural components ......................................... 6-7 Structural methods ....................................3-23, 3-30 Subscriber .......................................................... 6-16 Suspended loads ............................................... 7-20 SWISS INSPECTION .......................................... 3-56 Switching position sensing................................. 8-30 Synchronisation .................................................. 7-16 Synchronous circuits .......................................... 8-46 System category ................................................ 3-25 System examination ....................... 3-24, 3-32, 7-22 T T1 mission time .........................................3-33, 4-15 T2 diagnostic test interval ........................3-33, 4-15 tcycle...................................................................... 7-42 Technical documentation ................................... 3-13 Technical specification ................................2-5, 3-13 Telegram .............................. 6-3, 6-4, 6-7, 6-8, 6-18 Telegram structure .............................................. 6-19 Terminal Equipment Act/FTEG ........................... 2-20 Terminal voltage ................................................... 7-5 Test results ................................................3-13, 3-48 TGA/DATECH ..................................................... 3-56 Throttle check valves.......................................... 8-32 Time delay .................................................7-15, 7-16 Timeout ................................................................ 6-4 tmulti ...................................................................... 7-42 Toothed gear pumps .................................8-51, 8-53 Top-down ........................................................... 3-48 Topology ............................................................. 6-14 Torque measuring system .................................. 7-19 Torque monitoring .............................................. 5-32 Tortious liability ............................................2-4, 2-14 trampe ................................................................ 7-42 Transition periods ............................. 3-3, 3-27, 3-34 TRBS 1203 ......................................................... 3-58 treac = tmulti + tPMC + tramp ........................................ 7-42 treac = tPMC + tramp .................................................. 7-42 TV ................................................... 5-11, 5-26, 6-9 Two-cylinder control systems with electric valves ............................................. 8-46 Two-hand.............................................................. 5-6 Two-hand control device .................................... 4-20 Two-hand relays .....................3-18, 4-17, 4-20, 8-17 Type C ................................................................ 3-58 Type-examination ................................. 3-16, 3-3-42 U UDP/IP-based communication..................6-14, 6-15 UL ....................................................................... 3-17 Unexpected start-up ..................... 3-18, 4-11, 4-21, 7-14, 8-25, 8-54 Unintended restart.............................................. 4-21 Upgrade............................................ 2-15, 3-8, 8-34 UPmax ................................................................ 4-14 Upward movement ............................................. 8-43 V Validation .............................. 3-18, 3-23, 3-30, 3-45, 3-46, 3-47, 3-48, 3-49, 3-50, 3-51, 3-52, 3-53, 4-11 Validation of safety functions ...................3-23, 3-30, 3-49, 3-50 Valve cross section ............................................. 8-44 Valves with defined switching position............... 8-55 Vane pumps........................................................ 8-53 Variable pump .................................................... 8-41 VCI regulations ................................................... 2-10 VDE guidelines ................................................... 2-10 VDE or ETSI standards ....................................... 2-10 VDE recommendations................................2-7, 2-10 Ventilation time ................................................... 8-33 Venting....................................8-25, 8-26, 8-27, 8-33 Vertical axes ................................... 7-14, 7-25, 7-30 Viscosity ....................................................8-40, 8-57 Visualisation...............................................5-23, 5-25 V-Model .............................................................. 3-50 Volumetric efficiency factor ................................ 8-39 W Walking and hand speed ...........................4-15, 4-17 Warning .......................................... 2-14, 2-15, 2-18 Warning notes ................................ 2-13, 2-14, 2-17 Wireless and antenna technology ...................... 6-10 Wireless communication .................................... 6-10 Wiring requirement ......................5-7, 5-8, 5-9, 5-13, 7-12, 7-23, 7-25
9-14
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
Chapter 9 Appendix
2008 by Pilz GmbH & Co. KG, Ostfildern 3., revised and expanded edition
Pilz GmbH & Co. KG, Felix-Wankel-Strae 2, 73760 Ostfildern, Germany Telephone: +49 711 3409-0, Telefax: +49 711 3409-133, E-Mail: pilz.gmbh@pilz.de
9-15